Reusable Designated Verifier Non-Interactive Zero-Knowledge Proofs from Lossy Trapdoor Functions

This application claims the benefit of U.S. Provisional Application Ser. No. 63/702,601, filed Oct. 2, 2024, the content of which is incorporated by reference herein in its entirety, for all purposes.

The present disclosure relates to cryptographic systems and methods, and more particularly to reusable designated verifier non-interactive zero-knowledge proofs constructed from lossy trapdoor functions.

Interactive proof systems enable a verifier with limited resources to decide an intractable language by communicating with a powerful but untrusted prover. Such systems guarantee soundness: the prover can only convince the verifier of true statements. An interactive proof is zero-knowledge according to standard definitions if additionally, the interaction reveals nothing beyond the validity of the statement. It is well known that at least one of the above security properties (soundness or zero-knowledge) must be computational, i.e., apply only to computationally-bounded attackers. Furthermore, zero-knowledge proofs must be interactive.

Blum, Feldman, and Micali showed that interaction may be avoided if the prover and the verifier share a common reference string (CRS) chosen by a trusted third party and given to both the prover and the verifier. They call this notion of proofs that consist of only a single message from the prover to the verifier non-interactive zero-knowledge (NIZK), and show that it is realizable in the CRS model under computational assumptions.

We know several “generic” constructions of NIZKs from other well-known cryptographic primitives. For instance, NIZKs are implied by (doubly-enhanced) trapdoor permutations, by circular-secure fully homomorphic encryption, and by strong KDM encryption. While we know how to instantiate (doubly-enhanced) trapdoor permutations from factoring, the other primitives are much less standard and we still do not have plain-model instantiation thereof from standard (and falsifiable) assumptions. NIZKs also exist in the Random Oracle Model (and without any additional assumption), which is generically uninstantiable in the plain model.

In contrast, we do have many known constructions from concrete algebraic assumptions, including the Diffie-Hellman assumption over bilinear groups, (sub-exponential) Decisional Diffie-Hellman, Learning with Errors (LWE), LPN and MQ, and more. While this is an impressive set of constructions, it is preferable to understand the generic relationship between NIZKs and other cryptographic primitives, allowing us to better position NIZKs in the hierarchy of cryptographic primitives. This modular approach to cryptographic research is crucial to the development of the theoretical foundations of cryptography.

We consider the well-known relaxation of NIZKs to the designated-verifier model (DV-NIZK). Here, a trusted third party generates a CRS together with a secret key, which is given (only) to the verifier and is used to verify proofs. We further consider by default the stronger notion of soundness for DV-NIZKs called reusable soundness, where soundness is held even if the scheme is used multiple times and a malicious prover can test whether the verifier accepts or rejects various proofs. (There is a seemingly weaker notion for DV-NIZKs called one-time soundness wherein soundness is guaranteed only for a single proof of a single statement. DV-NIZKs for NP with one-time soundness can be constructed from any public-key encryption scheme. Plain NIZKs are “automatically” reusable due to their public verifiability property.)

Our current understanding of DV-NIZKs for NP is quite different from that of NIZKs for NP. Specifically, Lombardi et al. gave a clean and modular construction of a DV-NIZK from generic assumptions: a public-key encryption scheme along with a KDM-secure secret-key encryption scheme. Both components can be instantiated under any of the CDH, LWE, or LPN assumptions. This compiler inherently results with an argument systems with computational soundness and computational zero-knowledge. Besides this compiler, all other DV-NIZK for NP constructions are tailored for a particular algebraic assumption, and we are not aware of any other construction of DV-NIZKs for NP from a generic “well accepted” primitive, except constructions that ultimately result with plain NIZK.

Improving our understanding of the minimal assumptions necessary for DV-NIZKs and their relationship to other cryptographic primitives remains an important goal in theoretical cryptography. New approaches to constructing DV-NIZKs generically from standard assumptions could provide valuable insights into the foundations of non-interactive zero-knowledge.

Existing cryptographic frameworks typically require organizations to choose between computational efficiency and advanced security properties such as designated verifier capabilities and statistical zero-knowledge guarantees. The absence of practical constructions that can provide reusable designated verifier non-interactive zero-knowledge proofs from standard assumptions has created a significant gap in the marketplace for cryptographic solutions that can support complex verification requirements while maintaining both security and operational efficiency. Therefore, there exists a substantial commercial need for attribute-based encryption systems that can deliver enhanced function hiding properties and support the construction of designated verifier zero-knowledge proofs suitable for real-world deployment.

This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.

In this work, we consider the relaxation of NIZKs to the designated-verifier model (DV-NIZK) and present a new framework for constructing (reusable) DV-NIZKs for NP generically from lossy trapdoor functions and PRFs computable by polynomial-size branching programs (a class that includes LOGSPACE). Previous “generic” constructions of DV-NIZK for NP relied either on (doubly-enhanced) trapdoor permutations or on a public-key encryption scheme plus a KDM-secure secret key encryption scheme. Notably, our DV-NIZK framework achieves statistical zero-knowledge. To the best of our knowledge, this is the first DV-NIZK construction from any “generic” standard assumption with statistical zero-knowledge that does not already yield a NIZK.

1 A key technical component of our construction is an efficient, unconditionally secure secret sharing scheme for non-monotone functions with randomness recovery for all polynomial-size branching programs. As an independent contribution we present an incomparable randomness recoverable (monotone) secret sharing for NCin a model with trusted setup that guarantees computational privacy assuming one-way functions. We believe that these primitives will be useful in related contexts in the future.

According to an aspect of the present disclosure, a method for secure attribute-based encryption with function hiding properties is provided. The method comprises generating encryption parameters using a processor by sampling a hash function H from a pairwise-independent hash family as a public parameter and storing the hash function H in a memory, generating a sequence of trapdoor function pairs

i,b i∈[n],b∈{0,1} for i∈[n] and B∈{0, 1}, where n is a positive integer, and storing the trapdoor function pairs in the memory, setting a public key pk as the set of trapdoor functions {g}and storing the public key pk in the memory, generating a secret key sk comprising a binary string ƒ of length n and a set of trapdoor function inverses

i 1,0 1,1 n,0 n,1 i,b i,b i,b 0 0 i,b i∈[n], b∈{0,1} where ƒis the i-th bit of ƒ, and storing the secret key sk in the memory, and storing remaining trapdoor function inverses as a master secret key in a memory. The method further comprises receiving, via a network interface device, a message m to be encrypted and an attribute x, and storing the message m and the attribute a in the memory. The method also comprises encrypting the message m under the attribute a using the processor by sampling a random secret s and storing the random secret s in the memory, generating shares (a, a, . . . , a, a) using a share generating algorithm executed by the processor and storing the generated shares in the memory, computing ciphertext components ct=g(a) for i∈[n] and b∈{0, 1} using the processor and storing the ciphertext components in the memory, and computing a final ciphertext component ct=m⊕H(s), where ⊕ denotes bitwise XOR, and storing the final ciphertext component in the memory. The method additionally comprises assembling, using the processor, a complete ciphertext as (ct, {ct}) and storing the complete ciphertext in a storage device, and transmitting the complete ciphertext via the network interface device.

According to other aspects of the present disclosure, the method may include one or more of the following features. The method may further comprise decrypting the computing shares

0 reconstructing the secret s using a secret sharing reconstruction procedure on the computed shares, and recovering the message as m=ct⊕H(s). The method may further comprise implementing function hiding properties, wherein an adversary with access to the complete ciphertext and the message cannot distinguish between two different implementations of encryption functions that produce the same input-output behavior. The method may further comprise executing a transformation to construct a designated verifier non-interactive zero knowledge proof, wherein one or more of the following properties are satisfied: the proof is designated for a specific verifier with a secret verification key, the proof consists of a single message from the prover to the designated verifier, the proof demonstrates knowledge of a witness for a statement without revealing any information about the witness beyond its existence, only the designated verifier possessing the secret verification key can validate the proof, the proof cannot be re-used or transferred to convince any other party of the statement's validity, the designated verifier cannot use the proof to convince others, maintaining zero-knowledge even if the verifier is malicious, or the transformation ensures that the resulting proof preserves the security properties of the original attribute-based encryption scheme while adding the designated verifier property. The trapdoor function pairs

may be generated using a lossy trapdoor function setup algorithm that ensures the trapdoor functions can be sampled efficiently in either a lossy or injective mode, and the trapdoor function pairs

i,b i,b may be computable and invertible in the injective mode with knowledge of the trapdoor. The share generating algorithm may implement a secret sharing scheme for non-monotone functions, allowing reconstruction of the secret s from an authorized subset of the shares, and the pairwise-independent hash family may be selected to ensure that the entropy of the random secret s given the ciphertext components is sufficiently high to prevent statistical attacks. The method may further comprise verifying the integrity of the computed shares by regenerating all the shares using the reconstructed secret s, applying the trapdoor functions gto the regenerated shares, and comparing the results with the original ciphertext components ct. The attribute x and the binary string ƒ may represent inputs to a function F(x, ƒ), and decryption succeeds if and only if F(x, ƒ)=1, thereby implementing attribute-based access control.

According to another aspect of the present disclosure, a system for secure attribute-based encryption with function hiding properties is provided. The system comprises a processor and a memory storing instructions that, when executed by the processor, cause the system to perform operations comprising generating encryption parameters by sampling a hash function H from a pairwise-independent hash family as a public parameter and storing the hash function H in the memory, generating a sequence of trapdoor function pairs

i,b i∈[n],b∈{0,1} where n is a positive integer, and storing the trapdoor function pairs in the memory, setting a public key pk as the set of trapdoor functions {g}and storing the public key pk in the memory, generating a secret key sk comprising a binary string ƒ of length n and a set of trapdoor function inverses

i 1,0 1,1 n,0 n,1 i,b i,b i,b 0 0 i,b 0,1} where ƒis the i-th bit of ƒ, and storing the secret key sk in the memory, and storing remaining trapdoor function inverses as a master secret key in the memory. The operations further include receiving, via a network interface device, a message m to be encrypted and an attribute x, and storing the message m and the attribute a in the memory. The operations also include encrypting the message m under the attribute a by sampling a random secret s and storing the random secret s in the memory, generating shares (a, a, . . . , a, a) using a share generating algorithm and storing the generated shares in the memory, computing ciphertext components ct=g(a) for i∈[n] and b∈{0, 1} and storing the ciphertext components in the memory, and computing a final ciphertext component ct=m⊕H(s), where ⊕ denotes bitwise XOR, and storing the final ciphertext component in the memory. The operations additionally include assembling a complete ciphertext as (ct, {ct}i∈{[n], b∈}) and storing the complete ciphertext in a storage device, and transmitting the complete ciphertext via the network interface device.

According to other aspects of the present disclosure, the system may include one or more of the following features. The operations may further comprise decrypting the complete ciphertext by computing shares

0 reconstructing the secret s using a secret sharing reconstruction procedure on the computed shares, and recovering the message as m=ct⊕H(s). The operations may further comprise implementing function hiding properties, wherein an adversary with access to the complete ciphertext and the message cannot distinguish between two different implementations of encryption functions that produce the same input-output behavior. The operations may further comprise executing a transformation to construct a designated verifier noninteractive zero knowledge proof, wherein one or more of the following properties are satisfied: the proof is designated for a specific verifier with a secret verification key, the proof consists of a single message from the prover to the designated verifier, the proof demonstrates knowledge of a witness for a statement without revealing any information about the witness beyond its existence, only the designated verifier possessing the secret verification key can validate the proof, the proof cannot be re-used or transferred to convince any other party of the statement's validity, the designated verifier cannot use the proof to convince others, maintaining zero-knowledge even if the verifier is malicious, or the transformation ensures that the resulting proof preserves the security properties of the original attribute-based encryption scheme while adding the designated verifier property.

The trapdoor function pairs

may be generated using a lossy trapdoor function setup algorithm that ensures the trapdoor functions can be sampled efficiently in either a lossy or injective mode, and the trapdoor function pairs

i,b i,b may be efficiently computable and invertible in the injective mode with knowledge of the trapdoor. The share generating algorithm may implement a secret sharing scheme for non-monotone functions, allowing reconstruction of the secret s from an authorized subset of the shares, and the pairwise-independent hash family may be selected to ensure that the entropy of the random secret s given the ciphertext components is sufficiently high to prevent statistical attacks. The operations may further comprise verifying the integrity of the computed shares by regenerating all the shares using the reconstructed secret s, applying the trapdoor functions gto the regenerated shares, and comparing the results with the original ciphertext components ct. The attribute a and the binary string ƒ may represent inputs to a function F(x, ƒ), and decryption succeeds if and only if F(x, ƒ)=1, thereby implementing attribute-based access control.

According to another aspect of the present disclosure, a non-transitory computer-readable storage medium storing instructions that, when executed by a processor, cause the processor to perform operations for secure attribute-based encryption with function hiding properties is provided. The operations comprise generating encryption parameters by sampling a hash function H from a pairwise-independent hash family as a public parameter and storing the hash function H in a memory, generating a sequence of trapdoor function pairs

i,b i∈[n], b∈{0,1} where n is a positive integer, and storing the trapdoor function pairs in the memory, setting a public key pk as the set of trapdoor functions {g}and storing the public key pk in the memory, generating a secret key sk comprising a binary string ƒ of length n and a set of trapdoor function inverses

i 1,0 1,1 n,0 n,1 i,b i,b i,b 0 0 i i∈[n], B∈{0,1} where ƒis the i-th bit of ƒ, and storing the secret key sk in the memory, and storing remaining trapdoor function inverses as a master secret key in a memory. The operations further include receiving, via a network interface device, a message m to be encrypted and an attribute x, and storing the message m and the attribute x in the memory. The operations also include encrypting the message m under the attribute a using the processor by sampling a random secret s and storing the random secret s in the memory, generating shares (a, a, . . . , a, a) using a share generating algorithm executed by the processor and storing the generated shares in the memory, computing ciphertext components ct=g(a) for i∈[n] and b∈{0, 1} using the processor and storing the ciphertext components in the memory, and computing a final ciphertext component ct=m ⊕H(s), where ⊕ denotes bitwise XOR, and storing the final ciphertext component in the memory. The operations additionally include assembling, using the processor, a complete ciphertext as (ct, {ct}) and storing the complete ciphertext in a storage device, and transmitting the complete ciphertext via the network interface device.

According to other aspects of the present disclosure, the non-transitory computer-readable storage medium may include one or more of the following features. The operations may further comprise decrypting the complete ciphertext by computing shares

0 reconstructing the secret s using a secret sharing reconstruction procedure on the computed shares, and recovering the message as m=ct⊕H(s). The operations may further comprise executing a transformation to construct a designated verifier non-interactive zero knowledge proof, wherein one or more of the following properties are satisfied: the proof is designated for a specific verifier with a secret verification key, the proof consists of a single message from the prover to the designated verifier, the proof demonstrates knowledge of a witness for a statement without revealing any information about the witness beyond its existence, only the designated verifier possessing the secret verification key can validate the proof, the proof cannot be re-used or transferred to convince any other party of the statement's validity, the designated verifier cannot use the proof to convince others, maintaining zero-knowledge even if the verifier is malicious, or the transformation ensures that the resulting proof preserves the security properties of the original attribute-based encryption scheme while adding the designated verifier property. The trapdoor function pairs

may be generated using a lossy trapdoor function setup algorithm that ensures the trapdoor functions can be sampled efficiently in either a lossy or injective mode, the trapdoor function pairs

may be efficiently computable and invertible in the injective mode with knowledge of the trapdoor, the share generating algorithm may implement a secret sharing scheme for non-monotone functions, allowing reconstruction of the secret s from an authorized subset of the shares, and the attribute a and the binary string ƒ may represent inputs to a function F(x, ƒ), and decryption succeeds if and only if F(x, ƒ)=1, thereby implementing attribute-based access control.

The foregoing general description of the illustrative embodiments and the following detailed description thereof are merely exemplary aspects of the teachings of this disclosure and are not restrictive.

The following description sets forth exemplary aspects of the present disclosure. It should be recognized, however, that such description is not intended as a limitation on the scope of the present disclosure. Rather, the description also encompasses combinations and modifications to those exemplary aspects described herein.

A detailed description of systems, devices, and methods consistent with embodiments of the present disclosure is provided below. While several embodiments are described, it should be understood that disclosure is not limited to any one embodiment, but instead encompasses numerous alternatives, modifications, and equivalents. In addition, while numerous specific details are set forth in the following description in order to provide a thorough understanding of the embodiments disclosed herein, some embodiments can be practiced without some or all of these details. Moreover, for the purpose of clarity, certain technical material that is known in the related art has not been described in detail in order to avoid unnecessarily obscuring the disclosure.

1 1 Theorem 0.1 (Informal). Assuming the existence of a length-parametrized trapdoor lossy functions (see Definition) and a PRF in PBP (PBP is the complexity class containing all functions that can be computed by polynomial sized branching programs (which includes LOGSPACE, and therefore NC).), there exist reusable designated-verifier NIZK for NP with computational soundness and statistical zero-knowledge. We present a new framework for constructing (reusable) DV-NIZKs from generic assumptions. Our framework yields reusable DV-NIZKs generically from lossy trapdoor functions and PRFs in PBP. The class PBP stands for all functions computable by polynomial-size branching programs, a class that includes NC(and is equal to LOGSPACE). Our lossy trapdoor functions need to be length-parameterized, meaning that the output size is independent of the input size; such lossy trapdoor functions (and also the PRF) can be constructed from DDH or LWE. Our framework can be instantiated to result with computational soundness and statistical zero-knowledge.

Technically, we build a form of an Attribute-Based Encryption (ABE) scheme, as defined in prior work, that is known to be equivalent to DV-NIZKs (assuming public-key encryption exists). Specifically, this notion of ABE is a single-key scheme satisfying a certain “function-hiding under decryption queries” property. While previous work built it from a public-key encryption scheme plus KDM-secure secret-key encryption scheme or Hinting PRG, we build it from lossy trapdoor functions and a PRF in PBP. As mentioned, our construction also has the added advantage of achieving statistical zero-knowledge, whereas the framework of prior work inherently results with computational soundness and ZK (due to their black-box usage of the single key ABE).

n n 1 1 2 2 n n 1 n i i i i 1 n Secret sharing for non-monotone functions with randomness recovery. A key technical component in our construction is a secret sharing scheme with randomness recovery for all (even non-monotone) functions in PBP. A secret sharing scheme for nonmonotone functions (sometimes referred to as non-monotone secret sharing or conditional disclosure of secrets, as established in the literature) is a method for sharing a secret among n parties relative to a (not necessarily monotone) function F:{0,1}→{0, 1}. The secret sharing scheme outputs 2n shares (s, t, s, t, . . . , s, t) and for any input (x, . . . , x)∈{0, 1}, as above, the collection of shares {s:x=1}∪{t:x=0} determines the secret if F(x, . . . , x)=1 and does not reveal anything otherwise. The randomness recovery property provides a procedure that recovers all the 2n shares from any subset of <2n shares that are authorized according to F.

Theorem 0.2 (See Theorem 3.15). There exists an efficient secret sharing scheme with randomness recovery for all functions in PBP. Our contribution in this context is an efficient secret sharing scheme with randomness recovery for all PBP; this scheme is unconditionally secure. Our scheme is obtained by adapting the well-known st-connectivity secret sharing scheme to handle all functions in PBP.

1 n i 1 Secret sharing for non-monotone functions should be contrasted with “standard” secret sharing schemes that can only support monotone functions. Indeed, in a standard secret sharing scheme the n shares t, . . . , tare essentially fixed to L, and so having x=1 can only increase the amount of information available to recover the secret. Interestingly, prior work studies the notion of “standard” secret sharing with randomness recovery and obtains three main results. First, every access structure admits a secret sharing scheme with randomness recovery (albeit inefficient). Second, even for very simple access structures, obtaining randomness recovery requires the use of one-way functions. Finally, they note that randomness recovery can be obtained for any NCaccess structure by using a onetime KDM-secure secret-key encryption (which they in turn base on a new assumption they call linear-resistant PRGs). Since our secret sharing scheme in Theorem 0.2 is unconditionally secure, we obtain an intriguing separation between “standard” secret sharing and secret sharing for non-monotone functions, both with randomness recovery.

1 1 Theorem 0.3. Assuming that a one-way function exists and trusted setup, there is a (computational) secret sharing scheme with randomness recovery for every monotone function in NC. Lastly, as an independent contribution we give a “standard” secret sharing scheme with randomness recovery for all monotone-NCfrom only one-way functions (in fact, the construction applies to all monotone functions computable by polynomial-size span programs). This scheme, however, requires trusted setup (whose randomness the recovery procedure does not recover). We give it for completeness, hoping that it will be useful in related contexts in the future.

ƒ ƒ f Prior work has shown that Single-Key Attribute-Based Encryption (ABE) with Weak Function-Hiding property implies Designated Verifier NIZK argument for NP (In fact they prove equivalence of these two primitives assuming public-key encryption exists.). Recall that an ABE scheme allows us to encrypt a message m under some public parameters pp (generated by a setup procedure along with a master secret key msk) with respect to an attribute a to yield a ciphertext ct. The ciphertext can be decrypted using a secret key skassociated with a particular function ƒ. The decryption algorithm recovers the message m if and only if ƒ(x)=1. (In this work, we will interpret ƒ as a predicate). The semantic security of an ABE requires that if ƒ(x)=0, then the ciphertext ct must not reveal any information about the message m, even upon given access to the function secret key sk. It turns out that a weaker version that requires semantic security to hold only in the presence of a single function key suffices to construct DV-NIZK. (In general, an adversary trying to break the semantic security of an ABE scheme is allowed to make oracle queries for arbitrarily many function keys.) In addition, for the construction of DV-NIZK, the ABE needs to satisfy a certain function-hiding property: for all functions ƒ, oracle access to the decryption oracle Dec(sk, ct) must not reveal any information about ƒ other than whether ƒ(x)=0 or not. (This is weaker than the usual notion of function-hiding for ABE where one requires that the function key sks does not leak information about ƒ.) We consider schemes where the attribute a is publicly known (it can be given out with the ciphertext). This is formally captured by a simulation based definition which informally states that an oracle call to the decryption function should be efficiently simulated using only the master secret key msk and the value of ƒ(x).

Challenges of constructing ABE with function-hiding. While we can construct single-key semantically secure ABE directly from Public Key Encryption, the main challenge arises when we want to achieve any form of function-hiding. The crux of the problem is that an adversary can behave in a way which forces the real world decryption and the simulator to output different messages, which is bad for function-hiding. The function-hiding property seems to be closely related to Chosen Ciphertext Attack (CCA) security in the following sense: In CCA security, one needs to prove security even when an adversary is given access to the decryption oracle. This is similar to the function-hiding setting where the adversary, given access to the decryption oracle, can try to generate malformed ciphertexts to extract information about the underlying function. This similarity has been observed in prior work, and naturally, several tools and techniques which are useful to achieve CCA security have turned out to be useful to construct DV-NIZK as well. In CCA land, one key technique to deal with this issue is to generate two “correlated” ciphertexts, one of which is decrypted using the function secret key and the other is decrypted using an additional secret key which is only a part of master secret key (not included as the function secret key). The key tool that is used to achieve this property is Randomness Recovery. A cryptographic primitive with Randomness recovery is an object where the trapdoor process allows one to (partially) recover the randomness used to generate the hard instance. For example, the notion of PKE with randomness-recovery has been well studied. This is a semantically secure PKE with two additional properties: (1) The decryption process outputs both the message and randomness used during encryption, and (2) there is an efficient and deterministic algorithm that correctly outputs the message upon input the ciphertext and the randomness used for encryption (without having access to the decryption key). Such schemes have been well studied in the context of both CCA security and DV-NIZK, and thus randomness recovery is a natural tool to use in our construction. ABE with randomness recovery. In prior work, it has been the impression that constructing ABE with weak function-hiding can be achieved by constructing an ABE scheme with some form of randomness recovery. In this work, our goal is to construct an ABE scheme which will satisfy randomness recovery which in turn will naturally yield a single-key semantically secure ABE with weak function hiding. In particular, we are going to construct a standard ABE scheme for a function ƒ with the following additional property: (1) For any attribute a such that ƒ(x)=1, the decryption process can extract both the message and randomness used during encryption, and (2) for any attribute x such that ƒ(x)=1, one can use the master secret key (without access to the function ƒ and secret key) to produce outputs consistent with the real world decryption algorithm. In this work, our primary focus is constructing the above ABE scheme for an appropriate function ƒ that will be determined by the NP statement of interest.

Construction template. Without loss of generality we will assume a function C that takes as input (ƒ,x) and outputs ƒ(x). We will then construct an ABE for C where the key generation algorithm outputs a public key pk, master secret key msk and secret key sk when queried ƒ. The msk is not revealed to the decryptor and encryptions are generated with respect to attribute a and the particular public key. This abstraction is called Attribute Based Secure Function Evaluation (ABSFE) as established in prior work and is generalization to the usual notion of single-key ABE for the function C(ƒ,.). Moreover in ABSFE the function-hiding analogue is referred to as key-hiding where oracle access to the decryption function does not reveal any information about the “key” ƒ. From here onwards, we will refer to ƒ as the key.

Building blocks for the construction. We will now present the general template of our construction. While this template will not achieve all the properties that we want, we gradually augment this primary construction with additional tools in a step-wise manner, eventually obtaining the final construction.

1. A family of pairwise independent hash functions. n 1,0 1,1 n,0 n,1 i i i∈[n] i i i∈[n] 2. A secret sharing scheme with access function C(·, x):{0, 1}→{0, 1} that has a randomized share generating algorithm and a deterministic reconstruction algorithm (The notation C(·, x) means the function C hardcoded with x.). The share generating algorithm that takes as input x secret s and produces shares(a, a, . . . , a, a), and the reconstruction algorithm that takes an input “authorized” sets of shares and outputs the secret and satisfies usual correctness and privacy properties. Specifically, if C(ƒ,x)=1, then {a,ƒ}should correctly reconstruct the secret s. On the other hand, if C(ƒ,x)=0, then {a,ƒ}should reveal nothing about the secret s in the information theoretical sense. As mentioned in the introduction, such a scheme has been referred to as a secret sharing scheme for non-monotone functions in the literature. For the time being, let us assume that an efficient secret sharing scheme of this form exists for C(·, x). We will discuss later in this section when this is possible. −1 −1 3. An (injective) trapdoor function with setup. Such a function has an additional setup algorithm which on input the security parameter outputs the function g along with a trapdoor g. The trapdoor satisfy the natural property that g(g(x))=x. As building blocks, we will use:

The setup algorithm samples a hash function H from a pairwise-independent hash family as public parameter. The key generation procedure takes as input the key ƒ. Let ƒ be n bits long. Then it generates a sequence of functions along with its inverse with using the trapdoor function setup. Call them Informally, our construction follows the blueprint here:

i,b 1,0 1,0 n,0 n,1 i,b i,b i,b i∈[n],b∈{0,1} 0 To encrypt a message m under attribute x, first sample a random secret s and use the share generating algorithm to produce (a, a, . . . , a, a). The ciphertexts are set as {ct←g(a)}. Finally, use H to generate ct=m ⊕H(s). Decryption works by first computing shares corresponding to the indices for which the secret key has the trapdoor, i.e., for all The function description gare set as public key pk, and the secret key sk includes the key ƒ along with trapdoor keysThe master secret key contains all the other trapdoors.

0 Then use the secret sharing reconstruction procedure to generate s. Finally output ct⊕H(s).

i,f i i∈[n] i i i∈[n] 0 Correctness. Whenever (ƒ,x) is such that C(ƒ,x)=1, correctness is straightforward because (1) the inversion correctness of the trapdoor function ensures that the correct shares {a}are computed and (2) C(ƒ,x)=1, therefore {a,ƒ}are authorized to extract the secret s. Hence, the reconstruction correctness of secret sharing ensures that ct⊕H(s)=m.

0 1 0 i,b i∈[n],b∈{0,1} i,fi i∈[n] i,1−ƒ i i,1−ƒ i 0 i,ƒ i i,1−ƒ i i,1−ƒ i i,1−ƒ i i,1−ƒ i i,1−ƒ i i∈[n] Message-hiding for ABSFE. To show message-hiding, we have to prove that if the key ƒ is not authorized to reveal the secret, i.e., C(ƒ,x)=0, then encryption of mis indistinguishable from encryption of m. The most natural way to proceed with the proof would be to use the randomness extraction property of H and replace ct⊕H(s) in the encryption step to a uniform random value. Observe that the view of an adversary includes all the functions:{g}, some of the shares:{a}and trapdoor function evaluations of the other shares:{g(a)}i∈[n], and m⊕H(s). We can appeal to the privacy of the secret sharing scheme and say that {a}[n] does not reveal any information about s. However the adversary also sees {g(a)}i∈[n], and because gis injective, the conditional entropy of s given {g(a)}is 0 as s can be reconstructed efficiently given all the shares. So, there is absolutely no entropy left to use the randomness extractor H and we cannot hope to use any sort of Leftover Hash Lemma for randomness extraction.

1 −1 The first mode gives a (injective) trapdoor function: given a suitable trapdoor for g, i.e., g, the input x can be efficiently recovered from g(x). In this mode, the setup outputs the trapdoor along with the function description. In the second mode g statistically loses a significant amount of information about its input, i.e., g's image is significantly smaller than its domain.The two behaviors are computationally indistinguishable: given just the description of g, no efficient adversary can tell whether g is injective or lossy. Key Ingredient: Lossy Trapdoor Function. Trapdoor functions do not seem sufficient to achieve message hiding. To solve this issue, we will replace them with Lossy Trapdoor Functions (LTDF). The notion of Lossy trapdoor function was introduced in prior work which is a public function ƒ that behaves in one of two modes.

Once we make this change, i.e.,

i,1−ƒ i i∈[n] i,1−ƒ i i,1−ƒ i i∈[n] lin in in are now generated by the setup for lossy trap-door function, we can indeed make the message hiding proof go through without affecting correctness. In more detail, we will generate the functions in the injective mode in the construction, and therefore correctness remains unaltered. However, to prove message hiding, we will first switch the lossy trapdoor function setup such that {g}are generated in the lossy mode. Now, the view of the adversary again contains {g(a)}but now the lossiness ensure that the residual entropy of s given these evaluation is high enough for the randomness extractor to work. Indeed, we have to pick the parameters carefully to make sure that there is enough information ambiguity in the lossy evaluation to apply the Leftover Hash Lemma. In particular, we need to use a slightly stronger version of lossy trapdoor functions called length-parameterized lossy trapdoor functions. Length-parameterized lossy (trapdoor) functions, as introduced in prior work, are similar to lossy (trapdoor) functions with a stronger requirement that the setup algorithm takes as input ∠explicit input length parameterand the range of the function in the lossy mode is independent of. The original constructions of lossy trapdoor function from DDH and the recent constructions from LWE satisfy this property.

1 1 i i,1−ƒ i i∈[n] i,1−ƒ i i∈[n] i,f i Remark,. Since we know the indices i for which ƒ=0, we can set the lossy trapdoor function keys in the constructions in way that does not require us to switch from injective to lossy mode for the keys {g}in the proof. Specifically, we sample {g}in the lossy mode and {g}i∈[n] in the injective mode, thereby avoiding the need to rely on the computational setup indistinguishability property of the lossy trapdoor function. In this way, we get the property that message-hiding is statistical (assuming the secret sharing is information theoretically secure).

Key-hiding for ABSFE. Unfortunately, the template above, as is, does not satisfy key-hiding. It turns out that an adversary with access to a decryption oracle can send malformed ciphertexts as queries that will leak non-trivial information about the key ƒ. Concretely, consider the following scenario: there is an adversary who is aware of some kay and attribute pair (ƒ*, x) such that C(ƒ*, x)=1 and they also know that the description of ƒ* is 0 everywhere other than its most significant bit.

1,1 2,0 n,1 Therefore, if the key generation algorithm for the ABSFE generated keys corresponding to ƒ* and if the encryption is done honestly as prescribed above, then the shares(a, a, . . . , a) should be sufficient to recover the secret s and therefore the encrypted message.

1,0 n,1 i,b i,b i,b i∈[n],b∈{0,1} However, the adversary chooses to not generate the encryptions honestly but rather does the following tampering: To encrypt a message m under attribute x, the adversary first samples a random secret s and use the share generating algorithm to honestly produce (a, . . . , a). At this point, the adversary deviates from the encryption procedure. Instead of setting {ct←g(a)}, it first picks arbitrary values

Then it sets

for all i∈[n] and

0 all i∈[n]. Finally, it use H to generate ct=m ⊕H(s).

If the key generation produced secret keys corresponding to ƒ*, then the secret key has Such an adversary can learn non-trivial information about the key using the response of the decryption orace and break the key-hiding property. Consider the two cases:

1,1 2,0 n,1 1,1 2,0 n,1 1,1 2,0 n,1 0 0 0 0 On the other hand, if the key generation produced secret keys corresponding to some ƒ≠ƒ* such that C(ƒ,x)=1, then there is no guarantee that the s′ reconstructed will match the same secret s used in the encryption. The reconstruction algorithm receives shares which are not generated by an honest share generating process and therefore provides no guarantee of reconstruction correctness. In fact in the worst case where the description of ƒ has 0 in the most significant position and 1 everywhere else, then the reconstruction process is run only on tampered shares which are completely independent of the secret s. Therefore it is very likely that ct⊕H(s′)≠ct⊕H(s)≠m. and it can therefore extract (a, a, . . . , a). Since the description of ƒ* has a 1 in its most significant bit only, the decryption oracle can reconstruct some secret s′ just by using (a, a, . . . , a). And because the adversary did not modify the honestly generated (a, a, . . . , a), the reconstruction must always produce the correct secret s′=s. Thus the decryption oracle responds with cte H(s′)=ct⊕H(s)=m.

To conclude, depending on if the decryption oracle returns the correct message m or otherwise, then the adversary can be fairly confident whether the key ƒ* was used or not.

In order to prevent such malicious behavior, there has to be some way to perform a consistency checks while decrypting to ensure that the adversary cannot take advantage of malformed ciphertexts.

2 i i:f i i i:f i =0 First compute shares corresponding to the indices for which the secret key has the trapdoor, i.e., for all Key Ingredient: Secret Sharing with Randomness Recovery. Our problem with proving key-hiding is resolved if we have a secret sharing scheme with an additional randomness recovery property, i.e., the reconstruction algorithm upon input C(·, x) and {a}=1 correctly outputs all other shares, i.e., {a}along with s. Given such a primitive, we can modify our decryption as follows:

1,0 1,1 n,0 n,1 i,b i,b i,b 0 Then use the secret sharing reconstruction to generate s, (a, a. . . , a, a). To test for malformed ciphertexts, we run a consistency check. Specifically, check if g(a)=ctfor all i∈[n], b∈{0, 1}. If yes, then output ct⊕H(s). Otherwise output ⊥.

4 Now, if our secret sharing has the additional property that the regenerated shares are indeed correctly distributed, the attack described above no longer works. In particular, if an adversary tries to use malformed ciphertexts, then the consistency checks in the decryption algorithm should fail and it will output ⊥. Thus, such a secret sharing scheme suffices to achieve key-hiding for the ABSFE. We refer readers to Sectionfor formal details.

n i i i i 1 n 1 n i i i i i i i i 1 n Constructing the secret sharing scheme As mentioned above, a secret sharing scheme for non-monotone function F:{0, 1}→{0, 1} splits a secret into 2n shares and satisfies the usual correctness and privacy properties, namely, (1) the collection of shares {s: x=1}∪{t:x=0} determines the secret if F(x, . . . , x)=1, and (2) if F(x, . . . , x)=0, then {s:x=1}∪{t:x=0} does not reveal anything about the secret (information theoretically). In addition to these, a secret sharing with randomness recovery has a deterministic regeneration procedure that can generate all 2n shares given {s:x=1}∪{t:x=0} along with the secret s if F(x, . . . , x)=1.

1 n+2 1 n+1 n+2 1 n 1 n+1 1 n+2 i i i i,b j i i j i,b i∈[n],b∈{0,1} Share Generation. Given a secret s, assign it to v. Assign 0 to vand v. For all other nodes, assign random values r. Let valbe the value assigned to node v. Every edge is now assigned a share a=val−valif (i, b) is an edge between nodes vand v. These are the final shares, i.e., {a}. i,x i 1 n+1 n+1 1 Secret Reconstruction. If one is given access to shares {a} and F(x)=1, then we know by property of the DAG that the edges corresponding to these shares contain among them a directed path from vto vand such a path can be efficiently found. To reconstruct the secret simply add the shares along this path. Correctness is easy to see by observing that summing shares along a path has a telescopic affect that cancels all intermediate values and results in val−valthat equals the secret s. i,x i i∈[n] i,x i i∈[n] i n+1 n+2 n+1 1 n+1 i i n+1 n+2 i i∈[n+2] i,b i∈[n],b∈{0,1} Share Regeneration. Observe that every set of shares {a}contains share corresponding to exactly one of out two outgoing edges from every non-sink node. Therefore, the set {a}contains shares along a path from every node vto either vOr v. If F(x)=1, then using the above bullet point, one can recover the secret s, and thus get access to val. It is known that val=0 and val=0. Now to compute val, one can simply add shares along the path from vto vor v. Once all {val}are recovered, it is straightforward to compute the shares {a}. In this work, we construct an information theoretically private secret sharing scheme for any non-monotone functions F that can computed by a polynomially sized branching program. Such functions are said to belong to the complexity class PBP and can be represented using a Directed Acyclic Graph (DAG) with n+2 nodes (The number of nodes in the graph will not be n+2 in general. Rather it will be some polynomial in n. However for the sake of simplicity let us assume it is n+2 for now as it does not affect the construction in a significant manner. The technical sections have accurate parameters.) (ν, . . . , v) where vis assigned as the source node, and vand vare assigned as accept and reject sink nodes respectively. All non sink nodes labelled {v, . . . , v} have exactly two outgoing edges labelled (i, b), for i∈[n] and b∈{0, 1}. The DAG has the property that the set of edges marked as {(i, x;)} has a path from vto the accept node if and only if F(x)=1 for some input x. At a high level, the secret sharing scheme works as follows:

Additional technical details. We have hidden some details under the rug in this description. In the above description, we have argued shared regeneration correctness only when the shares the honestly generated using the share generation algorithm. However, an adversary trying to break key-hiding need not generate shares using this procedure. Therefore, for the key-hiding proof to work we have to ensure that there is some way for the share regeneration procedure to detect “invalid” shares. This is captured by the “Regeneration Soundness” property in our formalization.

3 We refer readers to Sectionfor more details.

In our application of DV-NIZK, the function C is essentially a PRF and (ƒ,x) are the PRF key and evaluation point respectively. Therefore we need to construct the secret sharing with randomness recovery scheme for the access function PRF(., x). Since we build such a secret sharing scheme for a functions restricted to the complexity class PBP, we also need to additionally assume the existence of PRF in PBP.

4 5 We refer readers to Sectionand Sectionfor more details.

i i,j i, .,i th th Notations. We use eto denote a vector with 1 at the iindex and 0 everywhere else. For a matrix M, Mdenotes the entry at the (i, j) position. M. and Mdenote the irow and column respectively.

The statistical distance between two random variables X and Y having the same (countable) domainis

1 e 2 1 2 We say that two variables are e-close if their statistical distance is at most ∈. We use the notation D≈Dto denote that the statistical distance between two distributions Dand Dis∈.

0 0 −c Negligible Function: A function ƒ:→(0, 1) is said to be negligible if for every positive constant c, there exists n∈such that for all n>n, ƒ(n)≤n.

1 2 Two distributions Dand D(indexed by security parameter λ) are said to be computationally indistinguishable if for all PPT adversaries, there exists a negligible function neg| such that

1 2 Analogously, two distributions Dand Dare statistically indistinguishable if for all (not restricted to PPT) adversaries, there exists a negligible function neg| such that

1 2 1 2 Definition 2.1. A family{H:D→R}is said to be pairwise independent, if for any two distinct elements x≠x∈D, and any two y, y∈R,

The min-entropy of a random variable X is

∞ x In several settings, the variable X is correlated with another variable Y whose value is known to the adversary. The notion of conditional minimum entropy quantifies the amount of information needed to describe the outcome of X given the outcome of another random variable Y. Formally, it is defined as H(X|Y=y)=−log (maxPr[X=x |Y=y]). In this work, we use a notion called average conditional min-entropy as established in prior work, which captures the remaining unpredictability of X conditioned on the value of Y:

The average min-entropy corresponds exactly to the optimal probability of guessing X, given knowledge of Y. The following bound on average min-entropy has been previously established:

r ∞ ∞ Lemma 2.2. If Y has 2possible values and Z is any random variable, then {tilde over (H)}(X|(Y, Z))≥H(X|Z)−r.

The following lemma is also known from prior work.

n n ∞ Lemma 2.3. Let X, Y be random variables such that X∈{0, 1}and {tilde over (H)}(X|Y)≥k. Letbe a family of pairwise independent hash functions from {0, 1}to. Then for h←, we have

as long as<k−2lg(1/∈).

The notion of Lossy trapdoor function was introduced in prior work which is a public function ƒ that behaves in one of two modes. The first mode gives a (injective) trapdoor function: given a suitable trapdoor for ƒ, the input x can be efficiently recovered from ƒ(x). In the second mode, ƒ statistically loses a significant amount of information about its input, i.e., ƒ's image is significantly smaller than its domain. Finally, the two behaviors are indistinguishable: given just the description of ƒ, no efficient adversary can tell whether ƒ is injective or lossy.

lin in in Length-parameterized lossy (trapdoor) functions, introduced in prior work, are similar to lossy (trapdoor) functions with a stronger requirement that the setup algorithm takes as inputexplicit input length parameter. As in previous work, there is both an injective and a lossy mode of setup and these should be computationally indistinguishable. However, the image size of the function in the lossy mode should be a polynomial that depends only on the security parameter and is independent of. The trapdoor allows to invert arbitrary outputs (when instantiated in the injective mode).

λ in in (ev,td)←LTDF.Setup(1,): On input the security parameter λ and an input length(both in unary), the setup procedure outputs an evaluation key ev and a trapdoor key td. We assume that ev contains an implicit description of. λ in in ev←LTDF.AltSetup (1,): On input the security parameter λ, and an input length(both in unary), the alternate-setup procedure outputs an evaluation key ev. We assume that the key ev contains an implicit description of. out y←LTDF.Eval(ev,x): On input a key ev and an input x∈, the evaluation procedure outputs a value y∈, for some output lengththat is determined during function setup. y←LTDF.Invert(td, y): On input x trapdoor key td and an input y∈, the inversion procedure outputs a value x∈. More precisely, a length-parameterized lossy trapdoor function is a tuple of efficient algorithms LTDF=(LTDF.Setup, LTDF.AltSetup, LTDF.Eval, LTDF.Invert) with the following sytax.

in out =poly(λ) and=poly(λ). ∈ out LTDF.Setup, LTDF.AltSetup, and LTDF.Eval are probabilistic algorithms that run in time poly(λ,). LTDF.Invert is a probabilistic algorithm that runs in time poly(λ,). Efficiency: For all security parameter λ∈, in Correctness of trapdoor inversion: For all λ∈, l=poly(λ), every input x∈, Below, we formalize the properties that an LTDF as above should satisfy.

λ in λ Lossiness in alternate mode: There exists a polynomial p(·) such that for all λ,∈poly(λ) the following holds. Let ev←LTDF.AltSetup (1,) and where the probability is over the choice of (ev,td)←LTDF.Setup(1,). Note that this property implies injectivity.

It must be that

in in Mode indistinguishability: For all λ,=poly(λ) and PPT adversaries, there exists a negligible function neg|(·) such that, In other words, the image size is bounded by a polynomial in > which is independent of.

Theorem 2.4 (Established in prior work). Let λbe the security parameter. Assuming (m, q, σ)-LWE is hard for σ=ω(λ), and for all polynomials m, q, there exists an LTDF= (LTDF.Setup, LTDF.AltSetup, LTDF.Eval, LTDF.Invert). Theorem 2.5 (Established in prior work). Assuming hardness of DDH, there exists an LTDF=(LTDF.Setup, LTDF.AltSetup, LTDF.Eval, LTDF.Invert).

As introduced in prior work, a ZK-PCP is like a PCP with the additional property that the view of the verifier can be efficiently simulated without access to the witness up to a small statistical distance.

n h n n h m π<zkPCP.Prove(x, w): On input x statement x∈{0, 1}and a witness {0, 1}, the prove algorithm outputs a proof π∈Σ. x 1 x 1 (st, q, . . . , q)←zkPCP.Query(x): On input the statement x, it outputs a verification state standquery indices q, . . . , q∈[m]. x 1 1 {0, 1}←zkPCP.Ver(st, s, . . . ,): On input the verification state st and a set of responses s, . . . ,∈Σ, output a bit. Definition 2.6 (Definition adapted from prior work). Let:{0, 1}×{0, 1}→{0, 1} be an NP relation and∈{0, 1}be the associated language. A non-adaptive,-query zero-knowledge PCP with alphabet Σ foris a tuple of algorithms:

Efficiency: The running time of zkPCP. Prove, zkPCP.Query and zkPCP. Ver should be bounded by poly(n). In particular m∈poly(n). n h Completeness: For all x∈{0, 1}and w∈{0, 1}, if(x, w)=1, then, A zkPCP satisfies the following properties:

x 1 where π←zkPCP.Prove(x, w) and (st, q, . . . , q)←zkPCP.Query(x). m Soundness: There exists a negligible function neg|(·) such that for all n, m∈, x∉and |x|=n, all proof strings π∈Σ,

1 2 Semi-malicious Computational Zero-Knowledge: For all PPT adversaries=(,), there exists an efficient simulator Sim and a negligible function neg|(·) such that,

1 2 Semi-malicious Statistical Zero-Knowledge: For all adversaries=(,), there exists an efficient simulator Sim and a negligible function neg|(·) such that,

1 Remark 2.7 (Malicious ZK). A stronger notion of malicious zero-knowledge where (q, . . . , q) are maliciously generated can also be defined. We refer readers to prior work for the formal definition. For our application to DV-NIZK, the weaker semi-malicious zero-knowledge suffices.

Theorem 2.8 (Semi-malicious zkPCP from prior work). There exists an-query PCP with statistical soundness and semi-malicious statistical zero-knowledge for all NP, alphabet Σ={0, 1,2}, and=poly(n). Instantiating ZK-PCP with statistical zero knowledge As noted in prior work, the non-interactive zero knowledge construction from previous work relies on a semi-malicious zero-knowledge PCP. To elaborate, in order to prove that a graph is 3-colorable, the prover assigns a color to each node. This coloring serves as the PCP string which the verifier can query. The (semi-malicious) verifier can now query a random edge (pair of nodes) from this string, and checks if the corresponding colors are distinct. This construction involves no computational assumptions, and indeed satisfies statistical zero-knowledge against semi-malicious verifiers. While the base construction only achieves 1-1/poly(n) soundness, this can be amplified by parallel repetition, i.e., generating multiple independent copies of the PCP. Note that semi-malicious zero-knowledge is preserved by parallel repetition.

Additional instantiations of zkPCP exist; see, for example, prior work.

We define an Attribute-Based encryption (ABE) scheme with a certain function-hiding property. In this work, it suffices to construct an ABE scheme that satisfies semantic security with a single function key. Such ABE schemes (without the function hiding property) have been well studied and are known to exist assuming Public Key Encryption.

2 (pp, msk)←ABE.Setup(1): The setup algorithm on input the security parameter>outputs the public parameters pp and master secret key msk. sk←ABE.Keygen (pp, msk, ƒ): The generation algorithm on input the public parameters, master secret key, function ƒ∈, outputs a function secret key sk. ct←ABE.Enc(pp,x,m): The encryption algorithm takes as input the public parameters, attribute x and message m & M, and outputs a ciphertext ct. (x,m)←ABE.Dec(pp,sk,ct): The decryption algorithm takes as input the public parameters, secret key sk (which maybe the master secret key) and ciphertert ct, and outputs an attribute x∈and message m∈∪≐. Definition 2.9 (Adapted from prior work). An Attribute-Based Encryption (ABE) scheme over a message space, attribute space, and function family={ƒ:→{0, 1}}is a tuple ABE=(ABE.Setup, ABE.Keygen, ABE.Enc, ABE.Dec) such that:

(Perfect) Correctness: For all messages m∈, attributes x∈, predicates ƒ∈, A Weak Function-Hiding ABE scheme with the above algorithms satisfies the following properties:

1 2 Single-Key Semantic Security: For all λ∈, and all admissible PPT adversaries (,), there exists a negligible function neg|(·) such that

0 1 0 1 0 1 is admissible if it makes one ciphertext query (a, m, m) to, and ƒ(x)=0.  ((pp, b, x,m, m) is an oracle which upon queried an attribute x, messages m,m∈returns a ciphertext ct←ABE.Enc(pp,x,mb). Weak Function-Hiding: (This is weaker than the standard notion of function-hiding ABE. Informally, a function-hiding ABE requires that the function secret key hides the function. On the other hand, here, we want that oracle access to the decryption function does not leak information about the function) For all λ∈, and p=poly(λ), there exists a PPT simulator Sim such that for all functions ƒ∈, and for all PPT adversaries, there exists a negligible function neg|(·) such that

1 p (pp,sk,ct) is the real decryption oracle which upon queried a ciphertext ct∈{0, 1}, outputs ABE.Dec(pp,sk,ct). 2 p ƒ(·) (pp, msk,ct) is the ideal decryption oracle which upon queried a ciphertext ct∈{0, 1}, outputs Sim(pp, msk,ct). Moreover, Sim is restricted to query ƒ(·) at most once per invocation. Here,

An ABSFE is a generalization of single-key ABE satisfying the following two notions of security: (1) Weak message hiding (analogous to single-key semantic security of ABE), and (2) Strong key hiding (analogous to weak function-hiding property of ABE).

λ pp←ABSFE.Setup(1): The setup algorithm on input the security parameter λoutputs the public parameters pp. (pk, sk)←ABSFE.Keygen (pp, y): The generation algorithm on input the public parameters, and a value y∈, outputs a public key pk and secret key sk. ct←ABSFE.Enc(pp, pk, x,m): The encryption algorithm takes as input the public parameters, public key, a value x∈, and message m∈, and outputs a ciphertext ct. m←ABSFE.Dec(pp,sk, x, ct): The decryption algorithm takes as input the public parameters, secret key sk, an attribute x and ciphertert ct, and outputs a message m∈∪⊥. Definition 2.10 (Adapted from prior work). An Attribute-Based Secure Function Evaluation (ABSFE) scheme for a function F:X×→{0, 1} with message spaceis a tuple ABSFE=(ABSFE.Setup, ABSFE.Keygen, ABSFE.Enc, ABSFE.Dec) such that:

(Perfect) Correctness: For all messages m∈, x∈, y∈, where F(x,y)=1, An ABSFE scheme with the above algorithms satisfies the following properties:

Weak Computational Message Hiding: This is essentially single-key semantic security for ABE: namely, a ciphertext with attribute x∈encrypted under a public key for y∈where F(x,y)=0 should hide the underlying message.

1 2 Definition 2.11. Let ABSFE be an ABSFE scheme for F. Then, for all λ∈, and all admissible PPT adversaries (,), there exists a negligible function neg|(·) such that

0 1 0 1 (pp, pk, b, x,m, m) is an oracle which upon queried an attribute x∈, messages m, m∈returns a ciphertert ct←ABSFE.Enc(pp, pk, x,mb). 0 1 is admissible if it makes one ciphertert query(x,m, m) to, and F(x,y)=0. Weak Statistical Message Hiding: We introduce the statistical version of weak message hiding which is essentially single-key statistical semantic security for ABE: namely, a ciphertext with attribute x∈encrypted under a public key for y∈where F(x,y)=0 should statistically hide the underlying message. where

1 2 Definition 2.12. Let ABSFE be an ABSFE scheme for F. Then, for all λ∈, and all admissible adversaries (,), there exists a negligible function neg|(·) such that

0 1 0 1 (pp, pk, b, x,m, m) is an oracle which upon queried an attribute x∈, messages m, m∈returns a ciphertext ct←ABSFE.Enc(pp, pk, x,mb). 0 1 is admissible if it makes one ciphertext query(x,m, m) to, and F(x,y)=0. Strong Key Hiding: The strong key hiding notion requires that y remains hidden even if the adversary has access to a decryption oracle (with the associated secret key sk). Strong key-hiding is reminiscent of the weak function-hiding property we defined for ABE. It is known that ABE schemes which satisfy weak function-hiding imply ABSFE schemes that satisfy strong key-hiding. where

1 2 Definition 2.13. For all λ∈, and p=poly(λ), there exists a PPT simulator Sim: =(Sim, Sim) such that for all keys y∈, and for all PPT adversaries, there exists a negligible function neg|(·) such that

1 p (pp,sk, x, ct) is the real decryption oracle which upon queried an attribute x∈and a ciphertext ct∈{0, 1}, outputs ABSFE.Dec(pp,sk, x, ct). 2 p (st, x, ct) is the ideal decryption oracle which upon queried an attribute x and a ciphertext ct∈{0, 1}, outputs Here,

2 Moreover, Simis restricted to query F(·, y) at most once per invocation.

0 1 Remark 2.14. By a standard hybrid argument, any ABSFE scheme that satisfies weak message hiding against an adversary that makes a single challenge query(x,m, m) is also secure against an adversary that makes polynomially many challenge queries.

Remark 2.15. One can also define a “strong” notion of message-hiding which says semantic security holds even in the setting where the public-key is maliciously chosen. Informally, in this case, we require that there exists an efficient algorithm that can extract an attribute y from any (possibly malformed) public key pk, and ciphertexts encrypted to any attribute a where F(x,y)=0 still hide the underlying message. The weaker notion suffices for our application, thus we refer readers to prior work for a detailed definition.

λ crs ←DV-NIZK.Setup(1): On input the security parameter λ, the setup algorithm outputs a common reference string crs. (pk, sk)←-DV-NIZK.Keygen(crs): On input x common reference string crs, the key-generation algorithm outputs a public key pk and a secret verification key sk which is sent only to the verifier. π<DV-NIZK.Prove(crs, pk, x, w): On input the common reference string crs, a public key pk, a statement a, and a witness w, the prove algorithm outputs a proof π. {0,1}←DV-NIZK. Ver(crs, sk, x, π): On input the common reference string crs, a secret key sk, a statement x, and a proof T, the verification algorithm outputs a bit b∈{0,1}. Let L be an NP language associated with an NP relation. A reusable designated-verifier non-interactive zero-knowledge (DV-NIZK) argument for L consists of a tuple of three efficient algorithms DV-NIZK=(DV-NIZK.Setup, DV-NIZK.Keygen, DV-NIZK.Prove, DV-NIZK.Ver) with the following properties:

Completeness: For all (x, w)∈, we have that Moreover, DV-NIZK should satisfy the following properties:

Non-adaptive soundness: For all x∉L, all PPT adversaries, there exists a negligible function neg|(·) such that Soundness: We consider two variants of soundness:

λ  Adaptive soundness: For all PPT adversaries, there exists a negligible function neg|(·) such that where crs←DV-NIZK.Setup(1) and (pk, sk)←DV-NIZK.Keygen(crs).

1 2 Computational Zero-knowledge: For all PPT adversaries, there exists a PPT simulator S=(S, S) and negligible function neg|(·) such that

λ λ S 1 0 1 S 2 S 1 2 Statistical Zero-knowledge: For all adversaries, there exists a PPT simulator S=(S, S) and negligible function neg|(·) such that where crs←DV-NIZK.Setup(1), (pk, sk)←DV-NIZK.Keygen(crs), and (st, crs, pk, sk)←S(1), the oracle(crs, pk, w) outputs DV-NIZK.Prove(crs, pk, x, w) if (x, w)∈and ⊥otherwise, and the oracle(st, x) outputs S(st, x) if (x, w)∈and ⊥ otherwise.

λ λ S 1 0 1 S 2 S where crs←DV-NIZK.Setup(1), (pk, sk)←DV-NIZK.Keygen(crs), and (st, crs, pk, sk)←S(1), the oracle(crs, pk, w) outputs DV-NIZK. Prove(crs, pk, x, w) if (x, w)∈and ⊥ otherwise, and the oracle(st, x) outputs S(st, x) if (x, w)∈and ⊥ otherwise.3 Secret Sharing with Randomness Recovery

A key ingredient in our ABSFE construction is a secret sharing scheme for non-monotone functions with a randomness recovery property.

1 1 2 2 1 i i i i 1 A secret sharing scheme for non-monotone functions is a generalization of the standard secret sharing which applies to arbitrary (not necessarily monotone functions). In such a scheme, the shares consist of 2values (s, t, s, t, . . . ,,) and for any input (x, . . . ,)∈, the collection of shares {s:x=1}∪{t: x=0} determines the secret if F(x, . . . ,)=1 and does not reveal anything otherwise. The randomness recovery property requires a procedure that recovers all the 2shares fromshares in the case where F is satisfied.

i i i i Analogously to standard secret sharing, we refer to x as an authorized set of users if F(x)=1 and unauthorized otherwise. Further, when x is authorized, the corresponding shares, i.e., {s: x=1}∪{t: x=0} are referred to as the authorized shares.

Remark 3.1. A secret sharing scheme for non-monotone functions captures the case where parties are partitioned into pairs, and we care about coalitions where exactly one party from each pair is present. This notion was studied in the past in several works. The additional randomness recovery property that we require is new to our work.

1,0 1,1 0 1 i,o i,1 0 1 (a, a, . . . ,,)←SS-RR. GenShares(F,s): A randomized share generation algorithm that takes as input the function F∈, the secret s∈, and it outputs shares (a, a, . . . ,,)←. 1,0 1,1 0 1 1,0 1,1 0 1 s←SS-RR. Reconstruct(F,(a, a, . . . ,,)): A deterministic algorithm that takes as input the function F∈, 2shares (a, a, . . . ,,), and outputs a secret s∈. 1,0 1,1 0 1 1 T i i∈T 1,0 1,1 0 1 (b, b, . . . ,,)←SS-RR.Regenerate(F,(y, . . . , y)): (To be syntactically correct, we can assume that SS-RR. Regenerate has 2+1 ordered input slots and the remaining 2−T slots are set as ⊥.) A deterministic algorithm that on input a function F∈and shares {y}for any T≤2, and outputs shares(b, b, . . . ,,)∈∪{⊥}. Definition 3.2 (Secret sharing with randomness recovery (RR-SS)). A secret sharing scheme with randomness recovery for a function family={F:→with secret spaceand share spaceis defined as a tuple SS-RR=(SS-RR.GenShares, SS-RR.Reconstruct, SS-RR.Regenerate) such that

The share size of a scheme as above is defined to be ┌log┐.

SS-RR.GenShares runs in time poly(|F|, ┌log┐). SS-RR.Reconstruct runs in time poly(|F|,, ┌log |┐). SS-RR.Regenerate runs in time poly(|F|,, ┌log |┐). Definition 3.3 (Efficiency). For any function F∈let |F| denote the length of the description of F, then,.

The correctness of a secret sharing scheme for a family classas above is captured by the following property.

Reconstruction correctness: Definition 3.4 (Correctness). For any function F∈, and any secret s∈,

i,o i,1 0 1 Regeneration correctness: for all x∈such that F(x)=1, where the probability is over the randomness used for sampling (a, a, . . . ,,)←SS-RR.GenShares(F,s).

1,0 1,1 0 1 where the probability is over the randomness used for sampling (a, a, . . . ,,)←SS-RR.GenShares(F,s).

i,o i,1 0 1 i,o i,1 0 1 In other words, if (a, a, . . . ,,) was generated honestly by the share generation algorithm, then every set of authorized shares must regenerate exactly the set of shares (a, a, . . . ,,).

1 2 Definition 3.5 (Perfect privacy). For any access function F and any input x such that F(x)=0, for any two secret s, s∈, the distributions

i,o i,1 0 1 are identical, where (a, a, . . . ,,)←SS-RR.GenShares

Lastly, we formalize the soundness property of the Regenerate procedure. In short, it says that every (potentially maliciously generated) set of shares are either invalid, or correspond to some legal sharing of some secret (meaning they are valid).

1,0 1,1 0 1 1 T i i,x i 1 T 0 1 T either SS-RR.Regenerate(F,(z, . . . , z))=⊥; 1 T or ∃s ∈, ∃r: SS-RR.Regenerate(F,(z, . . . , z))=SS-RR.GenShares(F,s;r). Definition 3.6 (Soundness of Regenerate). For any function F∈, for all set of (maliciously generated) shares (a, a, . . . ,,)∈, for all subsets of shares (z, . . . , z) for T≤2such that for some x∈{,: F(x)=1, ∀∈[], a∈(z, . . . , z),

We construct such a secret sharing scheme for all functions functions that can be computed by polynomial-sized branching programs (PBP).

The graph G has+2 nodes. 1 There exists a designated source node, call it v. acc rej 1 1 acc 2 rej There are 2 sink nodes denoted by vand vwith no outgoing edges. All non sink nodes labelled {v, . . . ,} have exactly two outgoing edges labelled (i, b), for i∈[] and b∈{0, 1}. Without loss of generality, assume that=vand=v. acc rej Every directed path in G must either terminate at vOT v. Definition 3.7 (Branching Programs of size) A sizebranching program is a Directed Acyclic Graph (DAG) G with the following properties:

n n n 1 acc the set of edgesin G forms a directed path from vto vif F(x)=1, and 1 acc the set of edgesin G forms a directed path from vto vif F(x)=0. G is said to be polynomial sized if (E poly(n). Definition 3.8 (Functions solvable by Polynomial Branching Programs). A function F:{0, 1}→{0, 1}is solvable by a sizebranching program G if there is a mapping μ:{0, 1}→such that for all inputs x∈{0, 1}and y=μ(x):

Definition 3.9 (Complexity Class (PBP)). PBP is the class of decision problems which are solvable by a polynomial sized branching program.

We now present the construction of a secret sharing scheme for PBP. We assume every function F∈PBP is represented as a polynomial sized branching program.

0 p +2] +2] 1. Assign values to every nodeto; SS-RR.GenShares(F,s): Intuition. To share a secret s, we assign s to the accept sink node. The source and reject sink node are assigned the value. Every other node is assigned uniform random value. The share corresponding to each edge (hence the parties) is the difference between the values of the nodes at both ends. Clearly, if one has a path from the source node to the accept sink node, then adding the shares along the path will yield the correct secret s. Intuitively, regeneration correctness follows from the observation that (1) we always know the share corresponding to at least one outgoing edge from every node, and (2) for every node directly connected to a sink with an edge, once we know the secret, and the share corresponding to one outgoing edge from it, then we can simply add these two values to get the random value assigned to the node. This step can be repeated iteratively to extract all the shares. In our construction we work with=={0, 1}We proceed with the full details.

b∈{0,1} i j i,b j i b∈{0,1} 3. output  2. Define the sharesas follows: if edge labelled (i, b) is directed from node vto v, then set a=val−val 1,0 1,1 0 1 1 acc 1. Perform Depth First Search to find a directed path from vto vin F. Denote the path by E. 1 acc 2. If no path exists from vto v, then output L and terminate. (j,b)∈E j,b 3. OutputΣa. SS-RR.Reconstruct(F,(a, a, . . . ,,)): T i j,b 1. Interpret yas ain the correct order with appropriate indices for some j∈[] and b∈{0, 1}. Add the edge (j, b) to setE 2. Construct a DAG with+2 nodes and edge set E. 1 acc 3. If no path exists from vto v, then output L and terminate. i acc 4. Perform a Depth First Search to find a path E′ from vto v. SS-RR.Regenerate(F,(y, . . . , y)):

v i acc rej v i j i i. Let vbe any node which has the directed edge (i, b) from vsuch that (a) For all nodes v such that n=k 8. Do the following iteratively for all k=1 to  7. Let nbe the minimum length of a directed path from v to either vOr v.

i j  9. For all i, j, if edge labelled (i, b) is directed from node vto v, then set

10. If ∃(j,b)∈E such that

11. Else output then output ⊥

p Lemma 3.10. For any function F∈, secret/share space {0, 1}, SS-RR. GenShares, SS-RR.Reconstruct and SS-RR.Regenerate all run in time poly(|F|, p).

The proof follows by observing that Depth First Search can be done in polynomial time in the size of function F, and all other operations in the algorithms run in polynomial time in the length of their respective inputs.

Lemma 3.11. For any function F∈PBP and secret s∈,

i,o i,1 0 1 1 acc 1 acc j,b (j,b)∈E Proof. By the correctness of Depth First Search, E contains vand v, and a sequence of edgesfor some b∈{0, 1} which starts from vand ends at v. Let {a}be the shares corresponding to these edges in the path. where the probability is over the randomness used for sampling (a, a, . . . ,,)←SS-RR.GenShares(F, s). Here SS-RR.Reconstruct and SS-RR.GenShares are as presented in the above construction.

1 t 1 1 t acc i i+1 Let us assume that the length of path E is t for some t≤. Let u, . . . , udenote the nodes in E in the correct order, i.e., u=v, u=vand there is an edge in E from uto u. Let

i be the value assigned to node uby the algorithm GenShares. Therefore as per construction of GenShares,

Thus, we prove a stronger statement that for all randomness r,

where r is the internal randomness used by SS-RR. GenShares.

Lemma 3.12. For all functions F∈cF and x∈such that F(x)=1,

Here SS-RR.Regenerate and SS-RR. GenShares are as presented in the above construction.

1 2 Lemma 3.13. For any function F and any input x such that F(x)=0, for any two secret s, s∈, the distributionsand

i,0 i,1 0 1 1 are identical, where (a, a, . . . ,,)←SS-RR.GenShares(F,s) and

1,0 1,1 0 1 T i,x i 1 T 1 1 T either SS-RR.Regenerate(F,(z, . . . , z))=⊥; 1 T or ∃s∈, ∃r: SS-RR.Regenerate(F,(z, . . . , z))=SS-RR. GenShares(F,s; r). Lemma 3.14. For any function F∈, for all set of (maliciously generated) shares(a, a, . . . ,,)∈, for all subsets of shares (z, . . . , z) for T≤2such that for some x∈: F(x)=1, ∀i∈[], a∈(z, . . . , z),

1,0 1,1 0 1 Moreover, iffs∈,r such that SS-RR. GenShares(F,s; r)=(a, a, . . . ,,), then

Thus, we get the following theorem:

Theorem 3.15 (Efficient secret sharing for non-monotone functions with randomness recovery for functions in (PBP)). There exists an efficient secret sharing scheme with randomness recovery satisfying perfect reconstruction correctness, perfect regeneration correctness, perfect privacy and regeneration soundness for any access function F∈PBP.

A computational monotone secret sharing scheme with randomness recovery. Additionally, we also construct a randomness-recoverable monotone secret sharing scheme with computational privacy in Appendix??. The construction relies on a primitive called Targeted Lossy Pseudorandom Generators (see Definition??) which can be constructed from one-way function. We believe such a scheme can be of independent interest, but postpone the details to the appendix.

Remark 3.16 (Comparison with prior work). Hajiabadi et al. introduce the notion of randomness recoverable secret sharing schemes both in the information theoretic and computational regimes. Our DAG based information theoretic construction is incomparable to their work as our scheme works for a non-monotone access structure, and therefore it is not really a secret sharing scheme in the usual sense. On the other hand, our computational LSSS is a strictly weaker object because it needs a Setup algorithm to generate the secret along with the shares. On the positive side, we can show that such an LSSS with setup suffices to construct ABSFE which in turn implies DV-NIZK for NP, and we can construct them directly from One-Way functions. Note that the construction in prior work relies on either a one-time KDM secure SKE or hinting PRGs which are not known to be implied by One-Way functions.

1 A length parameterized lossy trapdoor function family LTDF=(LTDF.Setup, LTDF.AltSetup, LTDF.Eval) with input length δ and lossiness parameter λ. See Section 2.2 and Theorem 2.4. δ A non-monotone secret sharing scheme with randomness recovery SS-RR=(SS-RR.GenShares, SS-RR.Reconstruct, SS-RR.Regenerate) for ƒ with long secret and shares in {0, 1}. See Section 3 and Theorem 3.15. δ λ A pairwise independent hash function family={H:{0, 1}→{0, 1}} where In this section we lay out the details of our ABSFE construction for some function ƒ:→{0, 1}. Our construction uses the following building blocks in a black-box manner:

Here λ is the security parameter for the scheme. See Definition 2.1.

We summarize the various parameters used in our construction in the table below:

Parameter Notation Security parameter λ Length of ABSFE key and Length of plaintext message and output γ length of hash function Input length to the hash function and LTDF δ Lossiness parameter of LTDF 1 γ

As mentioned, we rely on the following primitives in a black box manner: a length-parametrized lossy trapdoor function family, a pairwise independent hash function family, and a non-monotone secret sharing scheme with randomness recovery.

b x x λ 1. Sample< 2. Output pp:=H ABSFE.Setup(1): ABSFE.Keygen (pp, k∈): Notation: For any bit b∈{0, 1},denotes 1−b∈{0, 1}. For any function ƒ with two inputs, say (x, k), ƒis the function which is hardcoded with x which upon input k satisfies the property that for all (x, k), ƒ(x, k)=ƒ(k).

6. Output (pk, sk) λ λ ABSFE.Enc(pp, pk, x∈{0, 1}, m∈{0, 1}):

ABSFE.Dec(pp,sk, x, ct):

j,b j,b j,b 0 6. Else, output ct⊕H(s′)5 DV-NIZK from ABSFE  5. If ∃j∈[], b∈{0, 1}, such that LTDF.Eval(ev, ã)≠ct, then output ⊥

We briefly recall the main theorem of prior work which shows that DV-NIZKs can be constructed in a black-box manner from ABSFE. We present their main theorem and show how it can be extended to get DV-NIZK with statistical zero-knowledge if the underlying ABSFE satisfies statistical message-hiding.

n n h A semi-malicious zero-knowledge PCP zkPCP=(zkPCP.Prove, zkPCP.Query, zkPCP.Ver) for. Let m be the length of the PCP and ρ be a bound on the number of random bits needed for zkPCP.Query. n ρ A pseudorandom function PRF:×{0, 1}→{0, 1}. An attribute-based secure function evaluation scheme ABSFE=(ABSFE.Setup, ABSFE.Keygen, ABSFE.Enc, ABSFE.Dec) with weak message hiding and strong key hiding for function F which is defined below. Designated Verifier NIZKs from ABSFE: Let⊆{0, 1}be an NP language associated with NP relation⊆{0, 1}×{0, 1}. A DV-NIZK forrelies on the following building blocks:

λ Function for ABSFE: Let={ƒ:{0, 1}×→{0, 1}} be the function family where

x Here, (st,)←zkPCP.Query (x; PRF(k,x)).

Theorem 5.1. If there exists attribute-based secure function evaluation (ABSFE) with weak message hiding and strong key hiding, semi-malicious zkPCP for NP, and a pseudorandom function, then there exists reusable non-adaptively sound DV-NIZK argument for NP. See prior work for detailed construction and proofs. We present their main theorem below.

Theorem 5.2. Let λ∈be the security parameter. For all n, ρ=poly(λ), if there exists a semi-malicious statistical zero-knowledge PCP zkPCP=(zkPCP.Prove, zkPCP.Query, zkPCP.Ver) for NP. Let ρ be a bound on the number of random bits needed for zkPCP.Query, λ n ρ a pseudorandom function PRF:{0, 1}×{0, 1}→{0, 1}, and an attribute-based secure function evaluation scheme ABSFE=(ABSFE.Setup, ABSFE.Keygen, ABSFE.Enc, ABSFE.Dec) with weak statistical message hiding and strong key hiding for function F defined above, then there exists reusable non-adaptively sound DV-NIZK argument with statistical zero-knowledge for NP. Observe that in the theorem statement of prior work, the ABSFE and the zero-knowledge PCP satisfy computational weak message hiding and computational zero-knowledge respectively. The final conclusion also yields a DV-NIZK argument with computational ZK. However, the result can be easily extended to achieve DV-NIZK with statistical zero-knowledge if the aforementioned properties are made statistical. In particular, we prove the following thoeorem:

1 FIG. 100 100 110 120 Referring to, a communication systemimplements secure attribute-based encryption with function hiding properties through a comprehensive process flow that establishes mathematical frameworks and operational procedures. The communication systembegins with step, which involves sampling a hash function from a pairwise-independent hash family. This hash function H serves as a public parameter and forms part of the foundational cryptographic infrastructure. The pairwise-independent hash family provides statistical properties that ensure the entropy of random secrets remains sufficiently high given ciphertext components, thereby preventing statistical attacks against the encryption scheme. In some cases, the hash function H may be selected from families such as universal hash functions or other cryptographically secure hash constructions that maintain the pairwise independence property across different input pairs. The process continues to step, where a sequence of trapdoor function pairs

for i∈[n] and b∈{0, 1} are generated, where n represents a positive integer parameter. These trapdoor function pairs form the mathematical foundation for the encryption and decryption operations. The trapdoor functions may be generated using lossy trapdoor function setup algorithms that enable efficient sampling in either lossy or injective modes. In the injective mode, the trapdoor function pairs

are efficiently computable and invertible with knowledge of the trapdoor information. The lossy mode provides computational security properties by making the functions statistically lossy, meaning that the range of the function becomes significantly smaller than the domain, thereby hiding information about the inputs.

1 FIG. 130 140 i,b i∈[n],b∈{0,1} As shown in, stepestablishes a public key pk as the set of trapdoor functions {g}. This public key structure enables the encryption process to operate without revealing the specific trapdoor information while maintaining the ability to perform the forward direction of the trapdoor functions. The public key may be distributed to encryption devices and stored in memory systems for subsequent use in encryption operations. Stepgenerates a secret key sk comprising a binary string ƒ of length n and a set of trapdoor function inverses

i where ƒrepresents the i-th bit of the binary string ƒ. The secret key structure enables selective access to specific trapdoor function inverses based on the binary representation encoded in the string ƒ, thereby implementing attribute-based access control mechanisms.

1 FIG. 150 160 With continued reference to, stepstores the remaining trapdoor function inverses as a master secret key in memory. This master secret key contains the trapdoor function inverses that are not included in individual secret keys, enabling a hierarchical key management structure. The master secret key may be maintained by a trusted authority or key management system that can generate additional secret keys for different attributes or access policies. Stepinitiates the encryption phase by receiving a message m and an attribute a for encryption. The attribute a and the binary string ƒ represent inputs to a function F(x, ƒ), where decryption succeeds if and only if F(x, ƒ)=1, thereby implementing attribute-based access control mechanisms that determine which secret keys can successfully decrypt ciphertexts encrypted under specific attributes.

170 180 1,0 1,1 n,0 n,1 The encryption process advances to step, where a random secret s is sampled and stored in memory. This random secret s serves as the foundation for the secret sharing scheme and provides the randomness necessary for semantic security of the encryption scheme. Stepgenerates shares (a, a, . . . , a, a) using a share generating algorithm executed by a processor. The share generating algorithm implements a secret sharing scheme for non-monotone functions, allowing reconstruction of the secret s from an authorized subset of the shares. In some cases, the secret sharing scheme may utilize linear secret sharing schemes, threshold secret sharing, or more advanced constructions that support complex access structures and non-monotone Boolean functions.

1 FIG. 190 191 i,b i,b i,b 0 As further shown in, stepcomputes ciphertext components ct=g(a) for i∈[n] and b∈{0, 1} using the processor. These ciphertext components represent the application of the trapdoor functions to the generated shares, creating the encrypted representation of the secret sharing information. The computation of ciphertext components may involve modular arithmetic operations, elliptic curve computations, or other mathematical operations depending on the specific trapdoor function construction employed. Stepcomputes a final ciphertext component ct=m ⊕H(s), where ⊕ denotes bitwise XOR operation. This final ciphertext component combines the original message m with the hash of the random secret s, creating a one-time pad construction that provides information-theoretic security for the message content given the secrecy of the random secret s.

192 0 i,b i∈[n],b∈{0,1} The encryption process concludes with step, which assembles a complete ciphertext as (ct, {ct}) and stores the complete ciphertext in a storage device. The complete ciphertext structure encapsulates both the encrypted message component and the encrypted secret sharing components, enabling subsequent decryption operations by authorized parties. The complete ciphertext may be transmitted via network interface devices to decryption systems or stored in distributed storage systems for later retrieval and decryption.

193 194 The decryption phase begins with step, where the complete ciphertext is processed for decryption. Stepcomputes shares

for trapdoor function inverses

195 contained in the secret key. This computation applies the trapdoor function inverses to the corresponding ciphertext components, recovering the shares that were originally generated during the encryption process. The successful computation of shares depends on the availability of the appropriate trapdoor function inverses in the secret key, which is determined by the attribute-based access control function F(x, ƒ). Stepreconstructs the secret s using a secret sharing reconstruction procedure on the computed shares. The reconstruction procedure may involve linear algebra operations, polynomial interpolation, or other mathematical techniques depending on the specific secret sharing scheme implementation.

196 100 0 The decryption process concludes with step, which recovers the message as m=ct⊕H(s) using the reconstructed secret s. This message recovery operation reverses the one-time pad construction applied during encryption, yielding the original message m. The communication systemimplements function hiding properties, wherein an adversary with access to the complete ciphertext and the message cannot distinguish between two different implementations of encryption functions that produce the same input-output behavior. These function hiding properties ensure that the specific access structure or attribute relationships remain concealed from adversaries, providing additional privacy protection beyond the confidentiality of the encrypted message content.

2 FIG. 200 200 200 200 Referring to, a communication systemprovides a distributed architecture for implementing secure attribute-based encryption with function hiding properties. The communication systemcomprises multiple specialized devices that work in coordination to execute cryptographic operations across a networked environment. The distributed nature of the communication systemallows for separation of cryptographic responsibilities, enhancing security through compartmentalization of sensitive operations and data storage. In some cases, the communication systemmay be deployed across geographically distributed locations to provide redundancy and fault tolerance for cryptographic services.

200 205 210 205 210 215 205 200 215 The communication systemincludes a setup devicethat serves as the foundation for establishing cryptographic parameters and public system configurations. A setup processing unitwithin the setup deviceexecutes parameter generation algorithms and manages the initialization of cryptographic primitives. The setup processing unitmay comprise specialized hardware components optimized for cryptographic computations, including random number generators and mathematical coprocessors. A storage unitassociated with the setup devicemaintains public parameters, system configuration data, and initialization vectors that are distributed to other components within the communication system. The storage unitmay implement secure storage mechanisms to protect against unauthorized access to system parameters while allowing controlled distribution to authorized devices.

220 200 220 225 225 230 220 230 A key generation deviceoperates within the communication systemto manage the creation and distribution of cryptographic keys for authorized entities. The key generation deviceincorporates a key generation processing unitthat executes algorithms for generating secret keys, master secret keys, and associated cryptographic material. The key generation processing unitmay implement hardware security modules or trusted execution environments to protect key generation processes from external observation or tampering. A storage unitwithin the key generation devicemaintains generated keys, key metadata, and access control information that determines which entities may receive specific cryptographic keys. In some cases, the storage unitmay implement hierarchical key storage structures that allow for efficient key derivation and management across multiple security domains.

200 235 205 220 235 235 235 The communication systemfurther includes a communication networkthat interconnects the setup device, key generation device, and other system components. The communication networkfacilitates secure data exchange between distributed devices while maintaining the integrity and confidentiality of transmitted cryptographic material. The communication networkmay implement multiple communication protocols and security layers to ensure that sensitive data remains protected during transmission. In some cases, the communication networkmay incorporate dedicated cryptographic channels, virtual private networks, or other secure communication mechanisms to prevent unauthorized interception of cryptographic operations and data.

240 200 240 245 245 250 240 250 An encryption devicewithin the communication systemperforms message encryption operations using the secure attribute-based encryption protocol. The encryption devicecontains an encryption processing unitthat executes the encryption algorithms, including trapdoor function computations, secret sharing operations, and ciphertext generation procedures. The encryption processing unitmay implement parallel processing capabilities to handle multiple encryption operations simultaneously, improving system throughput and responsiveness. A storage unitassociated with the encryption devicemaintains encryption parameters, public keys, messages awaiting encryption, and generated ciphertext data. The storage unitmay implement temporary storage mechanisms that automatically purge sensitive data after encryption operations complete, reducing the exposure window for plaintext messages.

2 FIG. 255 200 255 260 260 265 255 265 With continued reference to, a decryption deviceoperates within the communication systemto perform ciphertext decryption and message recovery operations. The decryption deviceincorporates a decryption processing unitthat executes decryption algorithms, including share reconstruction procedures, trapdoor function inverse computations, and message recovery operations. The decryption processing unitmay implement secure computation environments that protect secret keys and intermediate decryption values from external observation during processing. A storage unitwithin the decryption devicemaintains secret keys, received ciphertext data, intermediate computation results, and recovered plaintext messages. In some cases, the storage unitmay implement access control mechanisms that restrict access to decrypted messages based on attribute-based policies and user authorization levels.

200 210 225 245 260 235 The distributed architecture of the communication systemenables separation of cryptographic functions across multiple processing units, reducing the risk of single points of failure and enhancing overall system security. The setup processing unitfocuses on parameter generation and system initialization, while the key generation processing unitspecializes in key management operations. The encryption processing unithandles message encryption tasks, and the decryption processing unitmanages ciphertext decryption procedures. This functional separation allows each processing unit to be optimized for specific cryptographic operations while maintaining secure communication channels through the communication network.

215 230 250 265 200 215 230 250 265 The storage units,,, andwithin the communication systemmay implement different security levels and access controls based on the sensitivity of stored data. The storage unitmay provide read-only access to public parameters, while the storage unitimplements strict access controls for secret key material. The storage unitmay provide temporary storage for encryption operations, and the storage unitmay implement secure deletion mechanisms for decrypted messages. In some cases, the storage units may implement distributed storage mechanisms that replicate data across multiple physical locations to provide redundancy and availability for cryptographic operations.

3 FIG. 300 300 302 Referring to, a methodfor secure attribute-based encryption with function hiding properties begins with generating encryption parameters using a processor. The methodcommences at stepwith the generation of encryption parameters that form the foundational cryptographic structure for the secure communication system. The parameter generation process involves multiple interconnected components that work together to establish the mathematical framework for both encryption operations and function hiding capabilities. In some cases, the encryption parameters may be generated using specialized cryptographic libraries that implement standardized algorithms for trapdoor function construction and hash function sampling.

304 300 At step, the methodsamples a hash function H from a pairwise-independent hash family as a public parameter and stores the hash function H in a memory. The pairwise-independent hash family provides statistical properties that ensure the entropy of random secrets remains sufficiently high given the ciphertext components, thereby preventing statistical attacks against the encryption scheme. In some cases, the pairwise-independent hash family may be selected from constructions based on polynomial evaluation over finite fields, where the hash function H takes the form H (x)=ax+b mod p for randomly chosen coefficients a and b and a prime p. The selection of the hash function H from this family ensures that any two distinct inputs produce hash outputs that are statistically independent, which forms a cornerstone of the security analysis for the attribute-based encryption scheme.

300 306 The methodproceeds to step, where a sequence of trapdoor function pairs

for i∈[n]an b∈{0,1} are generated, where n is a positive integer, and the trapdoor function pairs are stored in the memory. The trapdoor function pairs

may be generated using a lossy trapdoor function setup algorithm that ensures the trapdoor functions can be sampled efficiently in either a lossy or injective mode. In the injective mode, the trapdoor function pairs

are efficiently computable and invertible with knowledge of the trapdoor, enabling legitimate decryption operations. The lossy mode provides computational security by making the trapdoor functions statistically lossy, meaning that multiple inputs may map to the same output, thereby hiding information about the encrypted data from unauthorized parties.

3 FIG. 300 308 i,b i∈[n], b∈{0,1} i,b With continued reference to, the methodadvances to step, where a public key pk is set as the set of trapdoor functions {g}and stored in the memory. The public key pk construction creates a structured collection of trapdoor functions that correspond to different bit positions and binary values within the encryption scheme. In some cases, the public key pk may contain 2n distinct trapdoor functions, where each function gcorresponds to the i-th position and binary value b. The organization of these functions within the public key pk enables the encryption process to select appropriate trapdoor functions based on the binary representation of attributes and secret sharing parameters.

310 300 At step, the methodgenerates a secret key sk comprising a binary string ƒ of length n and a set of trapdoor function inverses

i where ƒis the i-th bit of ƒ, and stores the secret key sk in the memory. The binary string ƒ serves as a selector that determines which trapdoor function inverses are included in the secret key sk for each position i. The construction of the secret key sk establishes a direct correspondence between the binary representation of authorized attributes and the cryptographic capabilities granted to the key holder. In some cases, the binary string ƒ may represent a specific access policy or attribute pattern that defines the decryption capabilities of the secret key sk.

300 312 The methodcontinues to step, where remaining trapdoor function inverses are stored as a master secret key in a memory. The master secret key contains the complete set of trapdoor function inverses

that were not included in individual secret keys sk. This hierarchical key management structure enables the generation of multiple secret keys with different access patterns while maintaining a central authority that possesses complete decryption capabilities. The master secret key serves as the root of trust for the attribute-based encryption system and enables the generation of additional secret keys for new users or modified access policies.

3 FIG. 300 314 As further shown in, the methodproceeds to step, where a message m and attribute x are received via a network interface device, and the message m and attribute a are stored in the memory. The attribute a and the binary string ƒ represent inputs to a function F(x, ƒ), where decryption succeeds if and only if F(x, ƒ)=1, thereby implementing attribute-based access control. The function F(x, ƒ) may implement various access control policies, including threshold schemes, boolean formulas, or more complex attribute relationships. In some cases, the function F(x, ƒ) may be designed to support non-monotone access structures, allowing for both positive and negative attribute requirements within the same policy.

The mathematical relationship between the attribute x, binary string ƒ, and access control function F(x, ƒ) establishes the foundation for secure attribute-based encryption. The attribute x may be encoded as a binary vector or processed through a deterministic mapping that produces binary values corresponding to specific attribute properties. The evaluation of F(x, ƒ) determines whether the holder of a secret key sk with binary string ƒ can successfully decrypt a ciphertext encrypted under attribute x. This relationship enables fine-grained access control where decryption capabilities are tied to specific attribute patterns rather than simple key possession.

300 316 The methodadvances to step, where the message m is encrypted under the attribute a using the processor. The encryption process utilizes the previously generated encryption parameters, including the hash function H, trapdoor functions from the public key pk, and the attribute a to produce a ciphertext that can be decrypted by authorized secret keys. The encryption operation creates a mathematical binding between the message m and the attribute a through the use of secret sharing schemes and trapdoor function evaluations. In some cases, the encryption process may implement a secret sharing scheme for non-monotone functions, allowing reconstruction of encryption secrets from authorized subsets of shares while preventing reconstruction from unauthorized combinations.

4 FIG. 400 400 402 Referring to, a methodillustrates the encryption process for secure attribute-based encryption with function hiding properties. The methodbegins at step, where a random secret s is sampled and stored in memory. The sampling of the random secret s forms the foundation for the subsequent cryptographic operations, as the random secret s provides the entropy source for the share generation algorithm. In some cases, the random secret s may be generated using a cryptographically secure pseudorandom number generator that ensures sufficient entropy for the security properties of the encryption scheme. The storage of the random secret s in memory enables subsequent processing steps to access the random secret s for share generation and ciphertext component computation.

400 404 1,0 1,1 n,0 n,1 The methodproceeds to step, where shares are generated using a share generating algorithm. The share generating algorithm produces shares (a, a, . . . , a, a) that correspond to the secret sharing scheme implementation. The share generating algorithm may implement a secret sharing scheme for non-monotone functions, allowing reconstruction of the secret s from an authorized subset of the shares. In some cases, the share generating algorithm distributes the random secret s across multiple shares such that the secret s can be reconstructed when a sufficient number of authorized shares are available. The generated shares are stored in memory to facilitate the subsequent ciphertext component computation process.

4 FIG. 400 406 i,b i,b i,b i,b As shown in, the methodcontinues to step, where ciphertext components are computed using trapdoor functions. The computation involves applying trapdoor functions gto the corresponding shares die to produce ciphertext components ct=g(a) for i∈[n] and b∈{0, 1}. The trapdoor functions may be generated using a lossy trapdoor function setup algorithm that ensures the trapdoor functions can be sampled efficiently in either a lossy or injective mode. The ciphertext components are stored in memory as intermediate results that contribute to the complete ciphertext assembly. In some cases, the trapdoor functions are efficiently computable and invertible in the injective mode with knowledge of the trapdoor, enabling authorized decryption operations.

400 408 0 0 0 The methodproceeds to step, where a final ciphertext component is computed using an XOR operation. The final ciphertext component ctis computed as ct=m⊕H(s), where ⊕ denotes bitwise XOR, m represents the message to be encrypted, and H(s) represents the hash function applied to the random secret s. The hash function H may be sampled from a pairwise-independent hash family to ensure that the entropy of the random secret s given the ciphertext components is sufficiently high to prevent statistical attacks. The final ciphertext component ctis stored in memory alongside the other ciphertext components to enable complete ciphertext assembly.

4 FIG. 400 410 0 i,b i∈[n],b∈{0,1} 0 i,b With continued reference to, the methodmoves to step, where a complete ciphertext is assembled. The complete ciphertext is structured as (ct, {ct}), combining the final ciphertext component ctwith the collection of ciphertext components ct. The assembly process organizes the ciphertext components in a format that enables efficient transmission and subsequent decryption operations. The complete ciphertext is stored in a storage device to maintain data integrity and enable retrieval for transmission or further processing operations.

400 412 400 414 400 416 The methodincludes step, which presents a decision point determining whether trapdoor functions are in lossy or injective mode. This decision logic enables the encryption process to adapt to different security models and operational requirements. When the trapdoor functions operate in lossy mode, the methodproceeds to step, where lossy mode security properties are applied. In lossy mode, the trapdoor functions may lose information about their inputs, providing computational security based on the difficulty of inverting the lossy functions without knowledge of the trapdoor. Alternatively, when the trapdoor functions operate in injective mode, the methodproceeds to step, where injective mode with trapdoor knowledge is applied. In injective mode, the trapdoor functions maintain a one-to-one mapping that can be efficiently inverted with knowledge of the trapdoor.

4 FIG. 414 416 418 As further shown in, both the lossy mode path from stepand the injective mode path from stepconverge at step, where the complete ciphertext is transmitted via a network interface device. The transmission process may involve formatting the complete ciphertext for network protocols and ensuring data integrity during transmission. In some cases, the transmission may include additional metadata or authentication information to support designated verifier capabilities. The network interface device facilitates communication with remote systems that may perform decryption operations or further processing of the complete ciphertext.

400 The decision logic for handling lossy versus injective trapdoor function modes provides flexibility in the encryption scheme's security model. In lossy mode, the security properties rely on the computational difficulty of inverting lossy trapdoor functions, while in injective mode, the security properties depend on the secrecy of the trapdoor information. The methodmaintains security properties in both operational modes while enabling designated verifier capabilities through the structured ciphertext format and the underlying cryptographic primitives. The complete ciphertext assembly and transmission process preserves the function hiding properties of the encryption scheme, ensuring that adversaries cannot distinguish between different implementations of encryption functions that produce the same input-output behavior.

5 FIG. 500 500 502 720 260 265 0 i,b i∈[n],b∈{0,1} Referring to, a methodillustrates the decryption process for recovering messages from the complete ciphertext generated during the encryption phase. The methodbegins at a step, where the decryption modulereceives the complete ciphertext for processing. The complete ciphertext comprises the final ciphertext component ctand the collection of ciphertext components {ct}that were generated during the encryption process. The decryption processing unitinitiates the decryption sequence by accessing the secret key sk stored in storage unit, which contains the binary string ƒ of length n and the corresponding set of trapdoor function inverses

722 The share reconstruction engineprepares to execute the computational procedures for recovering the underlying secret and subsequently the original message.

500 504 260 The methodproceeds to a step, where the decryption processing unitcomputes shares using the trapdoor function inverses from the secret key. The computation follows the mathematical relationship

for each trapdoor function inverse

722 2035 This computation leverages the invertible property of the trapdoor functions in injective mode, where the trapdoor function inverses can efficiently reverse the operations performed during encryption. The share reconstruction engineapplies the trapdoor function inverses to the corresponding ciphertext components, extracting the shares that were originally generated during the encryption process. The computed shares represent partial information about the random secret s that was used to encrypt the message, and these shares are stored in memory subsystemfor subsequent processing.

5 FIG. 500 506 722 724 With continued reference to, the methodadvances to a step, which presents a decision point for determining whether sufficient authorized shares are available for secret reconstruction. The share reconstruction engineevaluates the computed shares against the access structure defined by the secret sharing scheme for non-monotone functions. The decision logic examines whether the subset of recovered shares satisfies the authorization conditions encoded in the share generating algorithm. In cases where the attribute x and the binary string ƒ represent inputs to a function F(x, ƒ), the system evaluates whether the recovered shares correspond to an authorized combination that enables secret reconstruction. The integrity verification unitmay perform preliminary checks on the computed shares to ensure their validity before proceeding with the reconstruction procedure.

500 510 260 726 265 736 If sufficient authorized shares are not available, the methodproceeds to a step, where the decryption processing unitoutputs a decryption failure. This failure condition occurs when the secret key sk does not contain the appropriate trapdoor function inverses corresponding to the attribute a used during encryption, or when the access control policy prevents the current user from accessing the encrypted message. The message recovery unitgenerates an error indication that is stored in storage unitand may be transmitted via network interfaceto notify the requesting entity of the unsuccessful decryption attempt. The failure mechanism provides a security barrier that prevents unauthorized access to encrypted messages while maintaining the integrity of the cryptographic system.

500 508 722 2040 When sufficient authorized shares are available, the methodcontinues to a step, where the share reconstruction enginereconstructs the secret s using a secret sharing reconstruction procedure on the computed shares. The reconstruction procedure implements mathematical algorithms that combine the authorized shares to recover the original random secret that was used during encryption. The secret sharing reconstruction procedure may employ techniques such as Lagrange interpolation for polynomial-based secret sharing schemes or linear algebraic methods for linear secret sharing schemes. The reconstructed secret s is temporarily stored in system memorywith appropriate security measures to prevent unauthorized access during the brief period required for message recovery.

5 FIG. 500 512 726 2010 2020 0 0 0 As further shown in, the methodproceeds to a step, where the message recovery unitrecovers the message using the reconstructed secret. The recovery process implements the mathematical relationship m=ct⊕H(s), where the final ciphertext component ctis combined with the hash of the reconstructed secret using the bitwise XOR operation. The hash function H from the pairwise-independent hash family is applied to the reconstructed secret s to generate the same pseudorandom mask that was used during encryption. The XOR operation between ctand H(s) effectively removes the cryptographic mask, revealing the original message m. The central processing unitexecutes these computations efficiently, leveraging cache memoryto optimize performance during the hash function evaluation and XOR operations.

500 514 260 The methodadvances to a step, which implements attribute-based access control through function evaluation. The decryption processing unitevaluates whether the function F(x, ƒ)=1, where a represents the attribute used during encryption and f represents the binary string from the secret key. This evaluation determines whether the current secret key holder is authorized to access the message encrypted under the specific attribute x. The function F(x, ƒ) encodes the access control policy that was established during the system setup phase, and the evaluation result determines whether decryption should succeed or fail based on the attribute-based access control mechanism.

500 516 260 2070 2085 2080 2050 If the function evaluation F(x, ƒ)=1 indicates authorized access, the methodproceeds to a step, where the decryption processing unitoutputs the successfully decrypted message. The recovered message m is made available to the requesting application or user through the client I/O subsystem, which may include display interfacefor presenting the message content or network interface controllerfor transmitting the message to other systems. The successful decryption completion is logged in storage subsystemfor audit purposes, and the temporary cryptographic materials such as the reconstructed secret s are securely erased from memory to prevent potential security vulnerabilities.

500 518 726 2045 Alternatively, if the function evaluation F(x, ƒ)≠ 1 indicates unauthorized access, the methodproceeds to a step, where the system denies access due to attribute-based access control restrictions. The message recovery unitgenerates an access denial notification that is stored in non-volatile memoryand may be transmitted to the requesting entity. This denial mechanism ensures that even if the decryption process successfully reconstructs the secret and recovers the message content, the final access control check prevents unauthorized disclosure of the message. The attribute-based access control provides an additional security layer that operates independently of the cryptographic decryption process, enabling fine-grained access control policies.

500 724 i,b i,b The integrity verification procedures within the methodprovide additional security mechanisms that prevent unauthorized decryption while maintaining the integrity of the cryptographic system. The integrity verification unitmay regenerate shares using the reconstructed secret s and apply the trapdoor functions gto the regenerated shares. The results are compared with the original ciphertext components ctto verify that the decryption process has proceeded correctly and that no tampering or corruption has occurred. This verification process ensures that the reconstructed secret is authentic and that the recovered message represents the original plaintext that was encrypted. The verification mechanisms operate in conjunction with the designated verifier proof system to provide comprehensive security assurance throughout the decryption process.

6 FIG. 600 600 602 Referring to, a methodillustrates the process of executing and verifying designated verifier proofs within the secure attribute-based encryption system. The methodbegins at stepwith executing a transformation to construct a designated verifier proof. This transformation process converts the standard attribute-based encryption scheme into a designated verifier non-interactive zero knowledge proof system, where the proof is designated for a specific verifier with a secret verification key. The transformation ensures that the resulting proof preserves the security properties of the original attribute-based encryption scheme while adding the designated verifier property. In some cases, the transformation may involve modifying the ciphertext structure to incorporate additional cryptographic elements that enable the designated verifier functionality while maintaining the underlying security guarantees of the attribute-based encryption protocol.

600 604 600 606 The methodthen proceeds to step, which presents a decision point determining whether the proof is designated for a specific verifier with a secret verification key. This decision point evaluates the configuration parameters of the proof system to determine the appropriate construction path. When the proof is designated for a specific verifier (Yes branch), the methodmoves to step, where the system constructs a single message proof maintaining zero-knowledge properties. The proof consists of a single message from the prover to the designated verifier, eliminating the need for multiple rounds of communication between the parties. This single-message construction enables efficient proof transmission while preserving the zero-knowledge characteristics that prevent information leakage about the underlying witness or secret values.

600 608 In cases where the proof is not designated for a specific verifier (No branch), the methodproceeds to step, where the system applies standard proof construction without designated verifier properties. This alternative path maintains compatibility with conventional proof systems while providing a fallback mechanism for scenarios where designated verifier functionality is not required. The standard proof construction may utilize traditional zero-knowledge proof techniques that do not incorporate the specialized designated verifier properties but still provide cryptographic soundness and completeness guarantees.

606 600 610 6 FIG. From step, the methodcontinues to step, where the system verifies the integrity of computed shares. This verification process forms a fundamental component of the designated verifier proof system, ensuring that the cryptographic operations have been performed correctly and that no malicious modifications have occurred during the proof construction or transmission phases. The integrity verification process begins by examining the shares that were computed during the decryption process, validating their mathematical consistency with the expected cryptographic relationships. As shown in, the verification process incorporates multiple stages of validation to provide comprehensive security assurance against various attack vectors.

600 612 The methodthen moves to step, where the system regenerates shares using the reconstructed secret s. This regeneration process involves applying the same share generating algorithm that was used during the original encryption process, utilizing the reconstructed secret s as input to produce a new set of shares. The regeneration process serves as a cryptographic consistency check, enabling the system to verify that the reconstructed secret s is mathematically consistent with the original ciphertext components. In some cases, the share regeneration may involve complex mathematical operations that mirror the original encryption process, ensuring that the verification process maintains the same level of cryptographic rigor as the original encryption and decryption operations.

614 600 i,b At step, the methodapplies trapdoor functions gto the regenerated shares. This application process involves computing the trapdoor function outputs for the regenerated shares, producing values that can be directly compared with the original ciphertext components. The trapdoor function application utilizes the same function parameters and configurations that were employed during the original encryption process, ensuring mathematical consistency between the verification process and the original cryptographic operations. The application of trapdoor functions to regenerated shares provides a mechanism for detecting any inconsistencies or errors that may have occurred during the decryption or reconstruction processes.

600 616 600 618 i,b The methodthen proceeds to step, which presents another decision point determining whether the results match the original ciphertext components ct. This comparison process involves performing mathematical equality checks between the computed trapdoor function outputs and the corresponding ciphertext components that were included in the original encrypted message. The comparison process may utilize various mathematical techniques to ensure accurate detection of any discrepancies, including bitwise comparisons, hash-based verification, or other cryptographic validation methods. When the results match the original ciphertext components (Yes branch), the methodmoves to step, where the system confirms that integrity verification has been successful.

600 620 In cases where the results do not match the original ciphertext components (No branch), the methodproceeds to step, where the system reports integrity verification failure. This failure indication serves as a security mechanism that prevents the acceptance of potentially corrupted or maliciously modified cryptographic data. The failure reporting process may involve generating error messages, logging security events, or triggering additional security protocols to address the detected integrity violation. The integrity verification failure may indicate various types of attacks or errors, including man-in-the-middle attacks, data corruption during transmission, or computational errors during the cryptographic operations.

The designated verifier proof construction maintains several fundamental security properties that distinguish the system from conventional proof mechanisms. The proof demonstrates knowledge of a witness for a statement without revealing any information about the witness beyond its existence, preserving the zero-knowledge characteristics that are fundamental to secure cryptographic protocols. This property ensures that the designated verifier can validate the correctness of the proof without gaining access to sensitive information about the underlying message, attributes, or cryptographic secrets. In some cases, the zero-knowledge properties may be maintained through sophisticated mathematical techniques that carefully balance the information disclosure necessary for verification with the privacy requirements of the underlying cryptographic system.

i,b The designated verifier proof system incorporates additional security guarantees that enhance the overall security posture of the attribute-based encryption scheme. The proof cannot be re-used or transferred to convince any other party of the statement's validity, preventing replay attacks and unauthorized proof sharing. This non-transferability property ensures that the proof remains bound to the specific designated verifier and cannot be leveraged by malicious parties to gain unauthorized access or to impersonate legitimate verifiers. Furthermore, the designated verifier cannot use the proof to convince others, maintaining zero-knowledge even if the verifier is malicious. This property protects against scenarios where the designated verifier may attempt to leverage the proof information for unauthorized purposes or to compromise the privacy of the original prover. The integrity verification process provides comprehensive protection against various attack vectors that may target the designated verifier proof system. By regenerating shares using the reconstructed secret s and applying trapdoor functions gto the regenerated shares, the system can detect modifications, corruptions, or inconsistencies that may have been introduced during the proof construction, transmission, or verification processes. The comparison with original ciphertext components ctit provides a final validation step that ensures the mathematical consistency of the entire cryptographic operation, from initial encryption through final verification.

7 FIG. 702 702 702 Referring to, a secure attribute-based encryption systemprovides a comprehensive cryptographic architecture that implements function hiding properties and designated verifier proof capabilities. The secure attribute-based encryption systemcomprises multiple interconnected modules that work together to perform encryption, decryption, and verification operations while maintaining security properties against various attack vectors. The system architecture enables secure communication between parties while preserving the confidentiality of both the encrypted data and the underlying encryption functions used in the process. The modular design of the secure attribute-based encryption systemallows for scalable deployment across different network environments and supports various cryptographic protocols.

704 702 704 704 706 706 706 A parameter generation moduleforms the foundation of the secure attribute-based encryption systemand handles the initialization of cryptographic parameters used throughout the encryption and decryption processes. The parameter generation modulecontains specialized components that generate the mathematical structures underlying the attribute-based encryption scheme. Within the parameter generation module, a hash function samplersamples hash functions from pairwise-independent hash families, where the selected hash function H serves as a public parameter for the encryption scheme. The hash function samplerensures that the entropy of a random secret s given ciphertext components remains sufficiently high to prevent statistical attacks, thereby maintaining the security properties of the overall system. The pairwise-independent hash family selection performed by the hash function samplerprovides collision resistance and uniform distribution properties that are utilized during the encryption and decryption operations.

708 704 A trapdoor function generatoroperates within the parameter generation moduleto create the trapdoor function pairs

708 for i∈[n] and b∈{0,1}, where n represents a positive integer parameter. The trapdoor function generatorimplements a lossy trapdoor function setup algorithm that ensures the trapdoor functions can be sampled efficiently in either a lossy or injective mode, providing flexibility in the security model. In the injective mode, the trapdoor function pairs

708 are efficiently computable and invertible with knowledge of the trapdoor, enabling authorized parties to perform decryption operations. The trapdoor function generatorcreates these mathematical structures such that they maintain their security properties under both computational and statistical security models, supporting the dual-mode operation that enables security proofs under different assumptions.

710 704 710 i,b i∈[n],b∈{0,1} A key management unitconnects to the parameter generation moduleand manages the distribution and storage of cryptographic keys generated by the system. The key management unithandles the creation of public keys pk as sets of trapdoor functions {g}and manages secret keys sk comprising binary strings ƒ of length n and sets of trapdoor function inverses

i 710 710 where ƒrepresents the i-th bit of ƒ. The key management unitalso stores remaining trapdoor function inverses as master secret keys, maintaining the hierarchical key structure that enables attribute-based access control. The key management unitimplements secure key derivation procedures that ensure the independence of individual user keys while maintaining the ability to perform attribute-based encryption and decryption operations.

712 704 710 712 712 714 714 714 1,0 1,1 n,0 n,1 An encryption modulereceives input messages and attributes from external sources and performs the encryption operations using the parameters and keys managed by the parameter generation moduleand key management unit. The encryption moduleimplements the core encryption algorithm that transforms plaintext messages into ciphertext under specified attributes, ensuring that decryption can occur when the appropriate attribute-based conditions are satisfied. Within the encryption module, a secret sharing enginegenerates shares (a, a, . . . , a, a) using a share generating algorithm that implements a secret sharing scheme for non-monotone functions. The secret sharing engineenables reconstruction of the secret s from an authorized subset of the shares, supporting complex access policies that go beyond simple threshold schemes. The share generating algorithm implemented by the secret sharing enginedistributes the random secret s across multiple shares in a manner that preserves the security properties while enabling efficient reconstruction when authorized attributes are present.

716 712 708 716 716 716 i,b i,b i,b 0 0 i,b i∈[n],b∈{0,1} A ciphertext generatoroperates within the encryption moduleto compute ciphertext components ct=g(a) for i∈[n] and b∈{0, 1} using the trapdoor functions generated by the trapdoor function generator. The ciphertext generatoralso computes a final ciphertext component ct=m⊕H(s), where ⊕ denotes bitwise XOR operation and m represents the input message. The ciphertext generatorassembles these components into a complete ciphertext structure (ct, {ct}) that can be transmitted over networks while maintaining the confidentiality of the underlying message. The ciphertext generation process performed by the ciphertext generatorensures that the resulting ciphertext maintains the function hiding properties, where an adversary with access to the complete ciphertext and the message cannot distinguish between two different implementations of encryption functions that produce the same input-output behavior.

718 712 718 718 708 A lossy trapdoor function processorwithin the encryption modulemanages the dual-mode operation of the trapdoor functions, handling both lossy and injective modes depending on the security requirements and operational context. The lossy trapdoor function processorensures that the encryption process maintains its security properties regardless of which mode the trapdoor functions operate in, providing flexibility in the security model while maintaining consistent functionality. The lossy trapdoor function processorcoordinates with the trapdoor function generatorto ensure that the mode selection aligns with the overall security parameters of the system and the specific requirements of the encryption operation being performed.

720 710 720 712 720 722 A decryption modulereceives encrypted ciphertext and performs the decryption operations using the secret keys managed by the key management unit. The decryption moduleimplements the inverse operations of the encryption module, recovering the original message when the appropriate attribute-based conditions are satisfied. Within the decryption module, a share reconstruction enginecomputes shares

for trapdoor function inverses

722 722 and reconstructs the secret s using a secret sharing reconstruction procedure on the computed shares. The share reconstruction engineimplements algorithms that can handle non-monotone access structures, enabling complex attribute-based policies while maintaining efficient reconstruction procedures. The reconstruction process performed by the share reconstruction engineverifies that the attribute a and the binary string ƒ represent inputs to a function F(x, ƒ), where decryption succeeds when F(x, ƒ)=1, thereby implementing attribute-based access control.

724 720 724 724 i,b An integrity verification unitoperates within the decryption moduleto verify the integrity of computed shares during the decryption process. The integrity verification unitregenerates shares using the reconstructed secret s, applies the trapdoor functions gib to the regenerated shares, and compares the results with the original ciphertext components ct. This verification process ensures that the decryption operation has been performed correctly and that the reconstructed secret corresponds to the original secret used during encryption. The integrity verification unitprovides protection against various attack scenarios where adversaries might attempt to manipulate ciphertext components or inject false shares into the reconstruction process.

726 720 726 726 724 0 A message recovery unitwithin the decryption moduleperforms the final step of the decryption process by recovering the original message as m=ct⊕H(s) using the reconstructed secret s and the hash function H. The message recovery unitensures that the recovered message maintains its original format and content, completing the decryption process when the attribute-based access control conditions are satisfied. The message recovery unitcoordinates with the integrity verification unitto ensure that message recovery occurs when the verification procedures confirm the validity of the decryption operation.

728 720 728 728 730 730 A zero-knowledge proof moduleconnects to the decryption moduleand implements advanced cryptographic protocols that enable verification of decryption operations without revealing sensitive information. The zero-knowledge proof moduleexecutes transformations to construct designated verifier non-interactive zero-knowledge proofs that demonstrate knowledge of witnesses for statements without revealing information about the witnesses beyond their existence. Within the zero-knowledge proof module, a designated verifier proof generatorcreates proofs that are designated for specific verifiers with secret verification keys, ensuring that the proofs consist of single messages from provers to designated verifiers. The designated verifier proof generatorensures that designated verifiers possessing secret verification keys can validate the proofs, while the proofs cannot be re-used or transferred to convince other parties of the statements' validity. The designated verifier cannot use the proof to convince others, maintaining zero-knowledge properties even when the verifier may be malicious.

732 728 732 732 A function hiding controlleroperates within the zero-knowledge proof moduleto implement function hiding properties throughout the cryptographic operations. The function hiding controllerensures that transformations preserve the security properties of the original attribute-based encryption scheme while adding the designated verifier property. The function hiding controllercoordinates with other system components to maintain the indistinguishability of different encryption function implementations that produce the same input-output behavior, providing protection against adversaries who might attempt to learn information about the underlying encryption functions through observation of ciphertext and message pairs.

734 702 734 734 736 702 736 A secure storageconnects to the secure attribute-based encryption systemand provides persistent storage for encryption parameters, cryptographic keys, and other sensitive data used throughout the system operations. The secure storageimplements access controls and encryption mechanisms to protect stored data from unauthorized access while enabling efficient retrieval by authorized system components. The secure storagemaintains the integrity and confidentiality of stored cryptographic materials, supporting the long-term security of the attribute-based encryption system. A network interfaceenables communication between the secure attribute-based encryption systemand external networks and devices, facilitating the transmission of encrypted data and the coordination of cryptographic operations across distributed environments. The network interfaceimplements secure communication protocols that protect data in transit while enabling the system to operate effectively in networked environments where multiple parties may participate in encryption and decryption operations.

8 FIG. 2000 2000 2000 Referring to, a client computing architectureprovides the computational infrastructure for executing secure attribute-based encryption operations and managing cryptographic data processing tasks. The client computing architecturecomprises multiple interconnected subsystems that work together to support the complex mathematical operations involved in the encryption and decryption processes described herein. The architecture may be configured to handle the intensive computational demands of trapdoor function operations, secret sharing algorithms, and hash function computations that form the foundation of the secure attribute-based encryption system. In some cases, the client computing architecturemay be implemented as a standalone computing device, a mobile device, or as part of a distributed computing environment where cryptographic operations are performed locally while maintaining secure communication with remote systems.

2000 2005 2005 2010 The client computing architectureincludes a processing subsystemthat serves as the computational engine for executing the various cryptographic algorithms and mathematical operations. The processing subsystemcomprises a central processing unitthat handles the primary computational tasks, including the generation of trapdoor function pairs

2010 2005 2015 2020 for i∈[n] and b∈{0,1} sing a lossy trapdoor function setup algorithm. The central processing unitmay be configured to efficiently sample these trapdoor functions in either a lossy or injective mode, depending on the security requirements of the specific encryption operation being performed. The processing subsystemalso includes a memory management unitthat coordinates data flow between the various memory components and ensures efficient allocation of memory resources during cryptographic operations. A cache memoryprovides high-speed temporary storage for frequently accessed cryptographic parameters, intermediate computation results, and cached trapdoor function values to accelerate the encryption and decryption processes.

8 FIG. 2005 2025 2025 2030 2005 2030 i,b i,b i,b With continued reference to, the processing subsystemincorporates a graphics processing unitthat may be utilized for parallel processing of cryptographic operations, particularly when dealing with large-scale secret sharing computations or when processing multiple ciphertext components simultaneously. The graphics processing unitmay be configured to handle the parallel computation of ciphertext components ct=g(a) for multiple values of i∈[n] and b∈{0, 1}, thereby accelerating the encryption process through parallel execution. An AI processing unitmay be integrated within the processing subsystemto optimize cryptographic operations through machine learning algorithms, pattern recognition for security threat detection, or adaptive optimization of encryption parameters based on usage patterns and security requirements. The AI processing unitmay also assist in the implementation of function hiding properties by analyzing encryption patterns and ensuring that adversaries cannot distinguish between different implementations of encryption functions that produce the same input-output behavior.

2000 2035 2035 2040 2040 2045 i,b i∈[n],b∈{0,1} 1,0 1,1 n,0 n,1 The client computing architectureincludes a memory subsystemthat provides various types of memory storage for cryptographic data, encryption parameters, and intermediate computation results. The memory subsystemcomprises system memory, which may be implemented as random access memory (RAM) that stores active cryptographic operations, including the hash function H sampled from a pairwise-independent hash family, the public key pk comprising the set of trapdoor functions {g}, and the secret key sk containing the binary string ƒ of length n and the corresponding trapdoor function inverses. The system memorymay also store the shares (a, a, . . . , a, a) generated by the share generating algorithm that implements a secret sharing scheme for non-monotone functions, allowing reconstruction of the secret s from an authorized subset of the shares. Non-volatile memoryprovides persistent storage for long-term cryptographic parameters, master secret keys, and configuration data that must be retained across system power cycles and reboots.

8 FIG. 2000 2050 2050 2055 2005 2060 2060 2065 2060 2065 As further shown in, the client computing architectureincorporates a storage subsystemthat manages long-term data storage and retrieval operations for cryptographic data and system operations. The storage subsystemincludes a storage controllerthat coordinates data access operations and manages the interface between the processing subsystemand the various storage devices. Solid state storageprovides high-speed, non-volatile storage for frequently accessed cryptographic parameters, cached encryption keys, and intermediate computation results that may be needed for subsequent cryptographic operations. The solid state storagemay be configured with hardware-level encryption capabilities to provide additional security for stored cryptographic data. Hard disk storageoffers high-capacity storage for archived cryptographic data, historical encryption logs, and backup copies of cryptographic keys and parameters. The combination of solid state storageand hard disk storageprovides a tiered storage architecture that balances performance requirements with storage capacity needs for comprehensive cryptographic data management.

2000 2070 2070 2075 2080 2080 2085 2090 0 i,b i∈[n],b∈{0,1} The client computing architectureincludes a client I/O subsystemthat manages input and output operations for the secure attribute-based encryption system. The client I/O subsystemcomprises an I/O controllerthat coordinates data flow between the internal system components and external interfaces. A network interface controllerenables secure communication with remote systems, allowing the transmission of complete ciphertexts (ct, {ct}) and the reception of messages in and attributes a for encryption operations. The network interface controllermay implement additional security protocols to protect cryptographic data during transmission and ensure the integrity of received data. A display interfaceprovides visual output capabilities for system status information, encryption operation progress, and user interface elements related to cryptographic operations. User input devicesenable user interaction with the secure attribute-based encryption system, allowing users to initiate encryption operations, specify attributes for access control, and configure system parameters.

2000 2095 2095 2005 2035 2050 2070 2095 2095 The various subsystems within the client computing architectureare interconnected through a system busthat facilitates high-speed data transfer and communication between components. The system busmay be implemented as a high-bandwidth interconnect that supports the intensive data transfer requirements of cryptographic operations, including the movement of large cryptographic parameters, intermediate computation results, and ciphertext data between the processing subsystem, memory subsystem, storage subsystem, and client I/O subsystem. The system busmay incorporate security features such as data encryption and access control mechanisms to protect sensitive cryptographic data during internal system transfers. In some cases, the system busmay support multiple concurrent data transfer operations to enable parallel processing of cryptographic operations across different subsystems.

2000 2005 2010 The client computing architecturemay be configured to support attribute-based access control operations where the attribute a and the binary string ƒ represent inputs to a function F(x, ƒ), and decryption succeeds if and only if F(x, ƒ)=1. The processing subsystemmay evaluate this function using the central processing unitor distribute the computation across multiple processing units for enhanced performance. The trapdoor function pairs

2035 may be efficiently computable and invertible in the injective mode with knowledge of the trapdoor, enabling the system to perform both encryption and decryption operations with optimal computational efficiency. The memory subsystemmay store precomputed values and lookup tables to accelerate the evaluation of trapdoor functions and reduce the computational overhead associated with cryptographic operations.

9 FIG. 2100 2100 2105 2155 2180 2220 2100 Referring to, a network architectureprovides a comprehensive distributed computing environment for deploying the secure attribute-based encryption system across multiple computing platforms and service layers. The network architectureencompasses client systems, server systems, and cloud services, interconnected through network infrastructureto enable scalable cryptographic operations. The distributed nature of the network architectureallows for the deployment of encryption parameters, trapdoor function generation, and ciphertext processing across geographically dispersed computing resources while maintaining the security properties of the attribute-based encryption scheme.

2105 2110 2115 2110 2180 2115 2110 2115 2220 2140 The client systemsinclude a mobile clientand a desktop clientthat serve as endpoints for initiating encryption and decryption operations within the secure attribute-based encryption system. The mobile clientmay execute lightweight cryptographic operations such as message preparation and ciphertext assembly, while leveraging the computational resources of the cloud servicesfor intensive operations like trapdoor function evaluation and share generation. The desktop clientmay provide enhanced processing capabilities for local execution of encryption parameters generation and secret key management operations. Both the mobile clientand desktop clientconnect to the network infrastructurethrough a local area network, enabling secure communication with remote cryptographic services.

2220 2105 2145 2155 2180 2150 2150 i,b i∈[n],b∈{0,1} The network infrastructurefacilitates secure data transmission between the client systemsand the distributed computing resources through multiple network layers. A wide area networkprovides connectivity to geographically distributed server systemsand cloud services, enabling the secure attribute-based encryption system to operate across multiple data centers and computing regions. A content delivery networkmay cache frequently accessed public parameters such as the hash function H from the pairwise-independent hash family and the public key pk containing the set of trapdoor functions {g}. The content delivery networkreduces latency for encryption operations by providing geographically distributed access to these public cryptographic parameters.

2155 2160 2165 2165 1,0 1,1 n,0 n,1 i,b i,b i,b 0 i,b i∈[n],b∈{0,1} The server systemsprovide dedicated computing resources for executing specific components of the secure attribute-based encryption system. An application servermay host the encryption and decryption algorithms, managing the generation of shares(a, a, . . . , a, a) using the share generating algorithm and computing ciphertext components ct=g(a) for i∈[n] and b∈{0, 1}. A web servermay provide user interfaces for attribute specification and message input, enabling users to submit messages m and attributes a for encryption operations. The web servermay also serve as an endpoint for receiving complete ciphertext (ct, {ct}) and presenting decrypted messages to authorized users.

2170 2155 2170 2175 2175 A database serverwithin the server systemsmay store cryptographic parameters, secret keys, and master secret keys in a secure manner. The database servermay implement access control mechanisms that align with the attribute-based access control function F(x, ƒ), where decryption succeeds if and only if F(x, ƒ)=1. A storage servermay provide persistent storage for ciphertext data and may implement distributed storage schemes that complement the secret sharing properties of the encryption system. The storage servermay distribute ciphertext components across multiple storage nodes to enhance availability and fault tolerance.

2180 2185 2180 2185 The cloud servicesprovide scalable computing resources for executing computationally intensive cryptographic operations. A load balancerdistributes encryption and decryption requests across multiple computing instances within the cloud services, enabling the system to handle varying workloads while maintaining consistent performance. The load balancermay implement intelligent routing algorithms that consider the computational complexity of different cryptographic operations, directing trapdoor function evaluations to appropriate computing resources based on their processing capabilities.

2190 2180 2195 2190 2195 Cloud computewithin the cloud servicesprovides the computational infrastructure for executing the secure attribute-based encryption algorithms. Virtual machineswithin the cloud computemay host dedicated instances of the encryption and decryption processes, with each virtual machine configured to execute specific cryptographic operations such as trapdoor function generation or share reconstruction. The virtual machinesmay be dynamically provisioned based on the computational demands of the encryption system, scaling up during periods of high encryption activity and scaling down during periods of low utilization.

2200 2190 2200 2200 Container serviceswithin the cloud computeprovide lightweight, portable execution environments for cryptographic algorithms. The container servicesmay encapsulate the hash function sampling process, trapdoor function generation algorithms, and secret sharing implementations in isolated containers that can be deployed across multiple computing nodes. This containerized approach enables rapid deployment and scaling of cryptographic services while maintaining consistency across different computing environments. The container servicesmay also facilitate the implementation of designated verifier non-interactive zero knowledge proofs by providing isolated execution environments for proof generation and verification processes.

2205 2190 2205 2205 0 Serverless functionswithin the cloud computeenable event-driven execution of specific cryptographic operations. The serverless functionsmay be triggered by encryption requests to execute operations such as random secret s sampling, final ciphertext component computation ct=m ⊕H(s), and integrity verification procedures. The serverless functionsprovide automatic scaling capabilities, instantiating additional function instances as encryption demand increases and terminating instances when demand decreases. This serverless architecture may reduce operational overhead while providing cost-effective execution of cryptographic operations.

2210 2180 2210 2210 An API gatewaywithin the cloud servicesprovides a unified interface for accessing the distributed cryptographic services. The API gatewaymay expose endpoints for encryption parameter generation, message encryption, ciphertext decryption, and proof verification operations. The API gatewaymay implement authentication and authorization mechanisms that integrate with the attribute-based access control properties of the encryption system, ensuring that users can access cryptographic services based on their attributes and associated permissions.

2215 2180 2215 2215 Cloud storagewithin the cloud servicesprovides scalable storage for cryptographic data and parameters. The cloud storagemay store public parameters such as the hash function H and public key pk, as well as encrypted data and associated metadata. The cloud storagemay implement distributed storage schemes that align with the secret sharing properties of the encryption system, distributing ciphertext components across multiple storage locations to enhance security and availability.

2225 2100 2230 2225 2230 2230 Data flow serviceswithin the network architectureenable efficient processing and movement of cryptographic data across the distributed system. A message queuewithin the data flow servicesprovides asynchronous communication between different components of the encryption system. The message queuemay buffer encryption requests during periods of high demand, ensuring that cryptographic operations are processed in an orderly manner without overwhelming the computing resources. The message queuemay also facilitate the coordination of multi-step cryptographic processes, such as the sequential execution of share generation, ciphertext component computation, and final ciphertext assembly.

2235 2225 2235 2235 Stream processingwithin the data flow servicesenables real-time processing of cryptographic operations as data flows through the system. The stream processingmay process continuous streams of encryption requests, applying the secure attribute-based encryption algorithms to incoming messages and attributes in real-time. The stream processingmay also implement real-time integrity verification by continuously monitoring the consistency of computed shares and ciphertext components as they are generated and transmitted through the system.

2240 2225 2240 2240 Batch processingwithin the data flow servicesenables efficient processing of large volumes of cryptographic operations. The batch processingmay aggregate multiple encryption requests and process them collectively, optimizing resource utilization and reducing per-operation overhead. The batch processingmay be particularly effective for operations such as trapdoor function generation, where multiple function pairs

can be generated simultaneously using parallel processing techniques.

2245 2225 2245 2245 An ETL pipelinewithin the data flow servicesprovides extract, transform, and load capabilities for cryptographic data management. The ETL pipelinemay extract cryptographic parameters and ciphertext data from various sources, transform the data to ensure compatibility with different components of the encryption system, and load the processed data into appropriate storage and computing resources. The ETL pipelinemay also implement data validation procedures to ensure the integrity of cryptographic parameters and ciphertext components as they move through the distributed system.

2100 The integration of these network architecture components enables the secure attribute-based encryption system to operate at scale across distributed computing environments while maintaining the security properties of the cryptographic algorithms. The distributed nature of the network architectureprovides redundancy and fault tolerance, ensuring that cryptographic operations can continue even if individual components experience failures or performance degradation. Throughout this disclosure, various terms and phrases are used to describe features of the disclosed technology. It is to be understood that these terms and phrases may encompass a variety of meanings and definitions, as is common in the field of technology and patent law. The definitions of these terms may vary depending on the context in which they are used, the specific embodiment being described, or the interpretation of the technology by those skilled in the art.

In various embodiments, certain variable names, symbols, or labels may be used in the claims to represent various elements, components, or steps of the described methods, systems, and apparatuses. These variable names, symbols, or labels are provided for convenience and clarity in describing the claimed subject matter. However, it should be understood that the use of such variable names, symbols, or labels in the claims does not necessarily limit these elements, components, or steps to being the same specific entities described in the specification or in other parts of the disclosure. The variable names, symbols, or labels used in the claims should be interpreted broadly and may encompass various implementations, variations, or equivalents of the described elements, components, or steps, unless explicitly stated otherwise or clearly limited by the context of the claim. As such, the scope of the claims is not confined to the specific examples or embodiments described in the specification, but rather extends to the full breadth of the inventive concepts disclosed herein.

For instance, terms such as “computing device,” “processor,” “memory,” and “network” may refer to a wide range of devices, components, systems, and configurations known in the art, and their specific definitions may differ based on the implementation or design of the system. Similarly, phrases like “securely storing,” “computing a vector,” and “generating a message” may involve various methods, techniques, and processes that achieve the same or similar outcomes but may be executed in different manners.

It is also to be understood that the use of terms in the singular or plural form is not intended to limit the scope of the claims. For example, the mention of “a computing device” does not preclude the presence of multiple computing devices within a system. Likewise, references to “a network” may include various interconnected networks or a single network comprising multiple segments or layers.

Furthermore, the use of the term “may” in relation to an action or feature indicates that the action or feature is possible, but not necessarily mandatory. This term is used to describe optional or alternative aspects of the disclosed technology that provide flexibility in how the technology may be implemented or utilized.

The definitions provided herein are intended to serve as examples and are not exhaustive. Those skilled in the art may ascribe different meanings to these terms based on the context, the specific technology being described, or the advancements in the field. Therefore, the definitions of the terms and phrases used in this disclosure and the claims are to be interpreted broadly and in a manner consistent with the understanding of those skilled in the relevant art.

The use of the word “a” or “an” when used in conjunction with the claims herein is to be interpreted as including one or more than one of the element it introduces. Similarly, the use of the term “or” is intended to be inclusive, such that the phrase “A or B” is intended to include A, B, or both A and B, unless explicitly stated otherwise.

Reference throughout the specification to “one embodiment,” “another embodiment,” “an embodiment,” and so forth, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure, and may not necessarily be present in all embodiments. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments without limitation.

The use of the terms “first,” “second,” and the like does not imply any order or sequence, but are used to distinguish one element from another, and the terms “top,” “bottom,” “front,” “back,” “leading,” “trailing,” and the like are used for descriptive purposes and are not necessarily to be construed as limiting.

As used herein, the term “processor” refers to any computing entity capable of executing instructions to perform a specific set of operations, whether implemented in hardware, firmware, software, or any combination thereof. This definition includes a broad range of processing technologies and architectures. The term encompasses general-purpose processors such as Central Processing Units (CPUs), specialized processors such as Graphics Processing Units (GPUs), as well as highly specialized hardware accelerators such as Neural Processing Units (NPUs) for artificial intelligence applications and Tensor Processing Units (TPUs) for machine learning workloads.

The term also encompasses reconfigurable computing architectures such as FieldProgrammable Gate Arrays (FPGAs) for applications requiring specialized processing configurations, Application-Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Systolic Array Processors, and emerging computing paradigms such as Quantum Processors that leverage principles of quantum mechanics. System on Chip (SoC) designs, heterogeneous computing systems, Edge Computing Processors for distributed network applications, cloud-based and distributed processors, multi-core and parallel processors, and Neuromorphic processors that draw inspiration from biological neural architectures are all encompassed within this definition.

The term “processor” also encompasses the associated memory hierarchies, including primary memory (such as RAM), secondary storage (such as hard drives and SSDs), and cache memory, which work in conjunction with the processor to store and retrieve data necessary for executing instructions. In this patent application, any reference to a“processor” should be interpreted broadly to include any type of processing unit capable of performing the described functions, regardless of its specific implementation, architecture, or physical form.

As used herein, the term “messages” may refer to any form of data or information that can be processed, transmitted, or stored in a digital format. Messages may include arbitrary-length plaintext messages, pre-hashed messages, concatenated messages, binary data, network protocol messages, database records, and time-stamped messages. Messages may be composed of characters, symbols, or binary data and may represent various forms of content such as text, numbers, multimedia, executable code, or any other data that can be digitally encoded. Messages may be used as input for cryptographic functions, such as keyed hash functions, where they are transformed into a fixed-size hash value influenced by a secret cryptographic key.

The term “messages” encompasses a wide range of data types and structures, from simple text strings to complex structured data, and may include metadata, headers, footers, or other information that facilitates the processing, transmission, or interpretation of the content. Messages may be generated by users, systems, or processes and may be intended for various purposes, including communication, authentication, verification, logging, or any other function that involves the use of digital data.

Messages may also include data formats specific to artificial intelligence and machine learning applications, such as tensors, feature vectors, embeddings, model parameters, activation maps, training examples, and inference requests. In distributed and edge computing contexts, the term “messages” further extends to include event streams, state updates, service requests, synchronization messages, and smart contract transactions used in blockchain platforms.

As used herein, the terms “store,” “storing,” “storage,” or variants thereof refer to any means, methods, systems, or processes for recording, retaining, or preserving data in a retrievable format. This terminology encompasses a broad spectrum of technologies and mechanisms that may be employed to maintain information for future access or reference.

The term “storing” or “storage” as used in this specification may encompass both persistent and transient data retention. In some cases, the storage may be entirely ephemeral, lasting only for the duration of a specific operation or process. The use of these terms does not imply any particular time period for data retention or any level of permanence. Storage and storing may be as brief as a few microseconds or indefinitely long, depending on the specific implementation and requirements of the system.

The term includes traditional electronic storage technologies such as magnetic storage (including hard disk drives, magnetic tape, and floppy disks), optical storage (including optical discs, holographic storage, and optical tape), and solid-state storage (including solid-state drives, flash memory, static random-access memory, dynamic random-access memory, and read-only memory). It also encompasses emerging storage technologies such as DNA storage, molecular storage, quantum storage, and photonic storage.

Storage terminology may refer to various architectural organizations and hierarchies of data repositories. This includes primary storage (main memory, cache memory) designed for rapid access during processing operations; secondary storage providing non-volatile retention of larger data volumes; and tertiary storage for archival purposes. The terminology extends to distributed storage architectures such as network-attached storage

(NAS), storage area networks (SAN), direct-attached storage (DAS), and object storage systems. It also includes cloud-based storage configurations, including public, private, and hybrid cloud storage implementations; edge storage systems located at network peripheries; and fog storage systems distributed between centralized and edge locations.

The definition encompasses storage virtualization technologies that abstract physical storage resources and present them as logical storage units, including virtual disks, software-defined storage, and storage hypervisors. It also includes storage orchestration systems that manage data placement, replication, and migration across distributed infrastructures.

The terminology extends to various data organization and management paradigms. This includes file systems that organize data into files and directories; block storage systems that manage data as fixed-sized blocks; object storage systems that handle data as discrete objects with metadata; and content-addressable storage systems that retrieve data based on content rather than location. It also includes specialized storage structures such as databases, data lakes, data warehouses, and knowledge repositories.

Storage terminology encompasses various operational characteristics and capabilities of storage systems. This includes persistent storage that maintains data integrity across power cycles; volatile storage that requires continuous power to retain data; and nonvolatile storage that preserves data without power. It also includes immutable storage that prevents modification of stored data; append-only storage that allows additions but not modifications; and version-controlled storage that maintains historical states of data. The term further encompasses encrypted storage that protects data confidentiality; redundant storage that duplicates data to prevent loss; and resilient storage that maintains availability despite component failures.

In specialized computing contexts, storage terminology may refer to domain-specific storage mechanisms. For blockchain and distributed ledger technologies, this includes on-chain storage within the blockchain itself and off-chain storage that maintains references to externally stored data. For neural networks and artificial intelligence systems, it includes weight storage for maintaining learned parameters and activation storage for intermediate computational results. For quantum computing systems, it refers to quantum state storage that preserves quantum information, while for edge computing, it includes transient storage for temporary data processing at network boundaries.

The term “storage” also encompasses the protocols, interfaces, and access methods used to interact with stored data. This includes file access protocols (such as NFS, SMB, and HDFS), block access protocols (such as iSCSI, Fibre Channel, and ATA), and object access protocols (such as S3, Swift, and CDMI). It also includes direct memory access mechanisms, memory-mapped file interfaces, and storage controller interfaces.

The term “database” should be construed to mean a blockchain, distributed ledger technology, key-value store, document-oriented database, graph database, time-series database, in-memory database, columnar database, object-oriented database, hierarchical database, network database, or any other structured data storage system capable of storing and retrieving information. This may include traditional relational database management systems (RDBMS), NoSL databases, NewSL databases, or hybrid database systems that combine multiple database paradigms. The database may be centralized, distributed, or decentralized, and may employ various data models, indexing strategies, and query languages to organize and access the stored information. It may also incorporate features such as ACID (Atomicity, Consistency, Isolation, Durability) compliance, eventual consistency, sharding, replication, or partitioning to ensure data integrity, availability, and scalability. The database may be hosted on-premises, in the cloud, or in a hybrid environment, and may support various access methods including direct queries, API calls, or event-driven architectures.

The term “database” further encompasses specialized data storage and management systems designed for particular domains or use cases. This includes blockchain and distributed ledger technologies used for secure, decentralized transaction records, edge databases optimized for resource-constrained environments, vector databases for highdimensional data, time-series databases for temporal data management, knowledge graphs for representing interconnected information, federated databases for integrating autonomous systems, and emerging paradigms such as quantum databases that leverage quantum computing principles.

The terms “connected,” “coupled,” or any variant thereof, mean any direct or indirect connection or coupling between two or more elements, and may encompass the presence of one or more intermediate elements between the two elements that are connected or coupled to each other.

In the context of modern computing architectures and network topologies, these terms may also refer to various connection modalities. This includes physical connections through wired or wireless interfaces, logical connections operating independently of the physical layer, API connections allowing software components to communicate, and microservice connections in distributed architectures. The terminology extends to edge-to-cloud connections for distributed processing environments, blockchain connections for distributed ledger systems, quantum connections for secure communication, and neural network connections for artificial intelligence systems.

As used herein, the term “display” or “displaying” refers to any means, method, apparatus, or process for visually presenting or otherwise conveying information to a user. This terminology encompasses a broad spectrum of technologies and presentation modalities that may be employed to render content perceivable by a user. The term includes traditional display technologies such as cathode ray tubes (CRTs), liquid crystal displays (LCDs), light-emitting diode (LED) displays, organic light-emitting diode (OLED) displays, micro-LED displays, and electronic paper displays. It also encompasses specialized display types such as transparent displays, flexible displays, foldable displays, stretchable displays, and holographic displays.

The term “display” may also refer to projection systems, including traditional projectors, laser projectors, pico projectors, and holographic projection systems. It further includes immersive display technologies such as head-mounted displays (HMDs), virtual reality (VR) headsets, augmented reality (AR) glasses, mixed reality (MR) systems, and smart contact lenses. The terminology extends to ambient display methods that integrate visual information into the environment, such as smart mirrors, interactive surfaces, projection mapping systems, and volumetric displays.

The definition also encompasses non-visual display modalities that may complement or substitute for visual displays. This includes auditory displays such as speech output systems, sonification interfaces, and spatial audio; haptic displays that communicate through tactile feedback, vibration patterns, or force feedback; and other sensory output mechanisms such as olfactory displays and thermotactile interfaces. Multimodal displays that combine multiple sensory channels for information presentation are also included within this terminology.

The term “display” further encompasses the software and computational components involved in rendering information. This includes rendering engines, graphics processing pipelines, display servers, and compositing systems. It also includes specialized display rendering techniques such as rasterization, ray tracing, vector graphics, procedural generation, and neural rendering. The term extends to user interface paradigms such as graphical user interfaces (GUIs), natural user interfaces (NUIs), voice user interfaces (VUIs), brain-computer interfaces (BCIs), and ambient intelligence systems.

In the context of accessibility, the term “display” includes assistive technologies and alternative display methods designed to accommodate diverse user needs. This encompasses screen readers, braille displays, audio descriptions, high-contrast modes, colorshifted presentations, and other adaptive display mechanisms. The terminology also includes display personalization techniques such as adaptive interfaces, contextual displays, and user-specific rendering optimizations.

The description of the embodiments of the present disclosure is intended to be illustrative, and not to limit the scope of the claims. Many alternatives, modifications, and variations will be apparent to those skilled in the art. A number of implementations have been described. Nevertheless, it will be understood that various modifications may be made without departing from the spirit and scope of the disclosure. Accordingly, other implementations are within the scope of the following claims.